Hi WebSec @ IETF!
My name is John Wilander and I’m a security engineer on Apple’s WebKit team.
WebKit, and thus our browser Safari, has some special rules for (non-preload)
HSTS to mitigate HSTS super cookies. I’m sending over the details in case you
want to augment the HSTS specification.
Basic rule: Only allow first parties to set HSTS.
If it’s a response to a top frame load that has an HSTS header, it is obviously
the first party so that's automatically handled. If it’s a response to a
subresource request, it gets more interesting.
As of our latest releases, we only allow the current first-party domain and its
eTLD+1 (formally public suffix + 1) to set HSTS in subresource responses.
Example:
Say you have loaded a page from https://sub.domain.example.com
<https://sub.domain.example.com/>. A response to a subresource request on that
page may set HSTS for:
sub.domain.example.com <http://sub.domain.example.com/> and
example.com <http://example.com/>
It may not set HSTS for:
some.sub.domain.example.com <http://some.sub.domain.example.com/>,
domain.example.com <http://domain.example.com/>, or
other.org <http://other.org/>
Kind regards, John Wilander
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
