[1] ホストが prelodable HSTS host であるとは、
既知HSTSホストドメイン名一致を適用した時、
includeSubDomains
指令と preload
指令の両方を含む既知HSTSホストに超ドメイン一致するか、
preload
指令を含む既知HSTSホストに合同一致することをいいます
>>7。
Note that the preload flag in the HSTS header is required to confirm and authenticate your submission to the preload list. An example valid HSTS header:
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
[4] http/transport_security_state_static.json - chromium/src/net - Git at Google ( 版) https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
[5] 意味もわからず HSTS Preload に登録して、サブドメインに接続できなくなったなどと困っている人もいるようです。
includeSubDomains
と preload
をヘッダーに明示的に指定しないとそうはならないはずですから、
どこかの解説サイトから理解せずにコピペして登録したのですかね。。。
[8] #16584 (HSTS preload list out of date?) – Tor Bug Tracker & Wiki ( 版) https://trac.torproject.org/projects/tor/ticket/16584
[9] nsSTSPreloadList.inc - DXR ( 版) https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc
If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default. We get regular emails from site operators who tried out HSTS this way, only to find themselves on the preload list by the time they find they need to remove HSTS to access certain subdomains.
We limit the list to hosts that send a large max-age under the assumption that these sites will not revert to non-HSTS status. However, this may become necessary. Suppose ownership of a domain on the preload list is transferred and the new owner decides to no longer use HSTS. The HSTS spec allows the site to send a header with the directive “max-age=0”. This indicates that HSTS should not be enforced for that host, and the browser would honor this. The preload list must replicate this behavior.
To accomplish this task, we introduce the concept of “knockout” entries in our HSTS implementation. When the browser receives an HSTS header with “max-age=0”, a knockout entry is stored that overrides the corresponding entry in the preload list. The knockout entry essentially says, “We have no HSTS information regarding this host.” As a result, the browser behaves as if the host were not on the preload list.
[55] Google Developers Japan: ウェブ上の安全なアプリのホーム、.app のご紹介 () https://developers-jp.googleblog.com/2018/05/introducing-app-more-secure-home-for.html
[12] 853934 - Some captive portals are using 1.1.1.1 and breaking because it's HSTS preloaded - chromium - Monorail () https://bugs.chromium.org/p/chromium/issues/detail?id=853934
[13] net/http/transport_security_state_static.json - chromium/src - Git at Google () https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json
[14] chromium/hstspreload.org: Chromium's HSTS preload list submission website. () https://github.com/chromium/hstspreload.org
[15] chromium/hstspreload: 🔒🔍 A Go package to scan sites against requirements for Chromium-maintained HSTS preload list. () https://github.com/chromium/hstspreload