> If example.com serves up a policy with includeSubdomains. And
> sub.example.com serves up a policy without includeSubdomains,
> max-age=0, and redirects to http://sub.example.com.
>
> I first visit example.com. And then I visit sub.example.com. What
> happens and where is this defined?
Ok, good question, I'll try to tease this apart a bit...
1. "load" of https://example.com yields, say,..
Strict-Transport-Security: max-age=31536000; includeSubdomains
note: receipt of the above HSTS Policy denotes example.com as an Known HSTS
Host (with includeSubdomains asserted) if it was not already so noted [1].
2. if a subsequent "load" of https://sub.example.com [0] (sub.example.com is
not as yet noted as an HSTS Host) yields..
Strict-Transport-Security: max-age=0
Location: http://sub.example.com
..then, this newly-asserted HSTS Policy (for sub.example.com) ought to be
"noted" per the HSTS storage model [2] since its domain name is not a
"congruent match" for "example.com" [3] -- but it is declaring a max-age of
zero, which would imply not noting it due to the NOTE in [5].
Regardless, due to the "URI Loading and Port Mapping" algorithm [4],
example.com's HSTS Policy will override sub.example.com's declared policy
(if it is noted by some errant UA). Thus the subsequent load of the
Location-specified resource ("the redirect") will have it's URI scheme
translated to "https" per [4], and the redirect will be essentially idempotent.
This will continue to be the situation until and if example.com rescinds
it's assertion of includeSubdomains or it's entire HSTS Policy. I.e.,
sub.example.com may declare an HSTS Policy, and it will be duly noted by
UAs, but it will be overruled by example.com's policy (until the latter is
altered per the foregoing).
This situation is implicated in the discussions in [6], but not explicitly
explained.
If anyone finds bug(s) in this analysis, please raise them.
HTH,
=JeffH
[0] or of http://sub.example.com which will become https://sub.example.com
per [4] due to the HSTS Policy established above.
[1] Strict-Transport-Security Response Header Field Processing
https://tools.ietf.org/html/rfc6797#section-8.1
[2] Noting an HSTS Host - Storage Model
https://tools.ietf.org/html/rfc6797#section-8.1.1
[3] Known HSTS Host Domain Name Matching
https://tools.ietf.org/html/rfc6797#section-8.2
[4] URI Loading and Port Mapping
https://tools.ietf.org/html/rfc6797#section-8.3
[5] The max-age Directive
https://tools.ietf.org/html/rfc6797#section-6.1.1
[6] Implications of includeSubDomains
https://tools.ietf.org/html/rfc6797#section-11.4
end
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
