On Mon, May 28, 2018 at 10:20 AM, Claudio Saavedra <[email protected]> wrote: > Section 8.1 states: > > Update the UA's cached information for the Known HSTS Host if either > or both of the max-age and includeSubDomains header field value > tokens are conveying information different than that already > maintained by the UA. > > The way I understand this is that if a HSTS host keeps sending the same > values to a conforming client, this should not update the information > cached and hence the cached information will expire after max-age > seconds have passed since the _first_reception_ of this header.
I have a hard time reading it another way as well; if true, this would be a security bug. -- https://annevankesteren.nl/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
