On Mon, 2018-05-28 at 13:21 +0200, Anne van Kesteren wrote: > On Mon, May 28, 2018 at 10:20 AM, Claudio Saavedra <csaavedra@igalia. > com> wrote: > > Section 8.1 states: > > > > Update the UA's cached information for the Known HSTS Host if > > either > > or both of the max-age and includeSubDomains header field value > > tokens are conveying information different than that already > > maintained by the UA. > > > > The way I understand this is that if a HSTS host keeps sending the > > same > > values to a conforming client, this should not update the > > information > > cached and hence the cached information will expire after max-age > > seconds have passed since the _first_reception_ of this header. > > I have a hard time reading it another way as well; if true, this > would be a security bug.
So if this is a security bug, I'm understanding that the desired behavior would be the one described in 11.2. What can be done in the specification to deal with this? Can it be reworded/updated? How can we implementors know which of the behaviors described in 8.1 or 11.2 is to be honored? Best regards, Claudio _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
