New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: May 2015
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Show other hotlists

Hotlists containing this issue:

Sign in to add a comment

Remove domain from the HSTS Preload list

Reported by, May 12 2015

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

Steps to reproduce the problem:
1. visit e.g.
2. see the certificate error because of "no TLS certificate installed" and HSTS active

What is the expected behavior?
HSTS active for - but not for the subdomains

What went wrong?
"include subdomains => true"

As I saw, it's just possible with the "include subdomains" entry. So maybe the best way is to remove it. We already set the max-age to zero.

Did this work before? N/A 

Chrome version: 42.0.2311.135  Channel: stable
OS Version: Ubuntu 14.04
Flash Version: Shockwave Flash 17.0 r0

For sure, we want to install TLS certificates for every subdomain. 

But there are some "internal" sites, where it's not possible.

Comment 1 by, May 12 2015

Labels: -OS-Linux OS-All
Status: Assigned
Project Member

Comment 2 by, May 13 2015

Comment 3 by, May 13 2015

Status: Fixed

Comment 4 by, May 19 2015

Labels: Needs-Feedback
Didn't observe any certificate error on the version:42.0.2311.152, Mac OS 10.10.3. Same behavior is seen on the latest M-44(44.0.2403.4).

Attached is the screen-shot of the same.

agl@,  kevin@: Could you please help in verifying this fix or if anything is being missed here.
457 KB View Download

first: thank you very much for the fast reaction!

we fixed the problem for the public sites proactive and migrated all sites to https://

but we can't migrate the internal sites - because there are many sites with sub-subdomain etc: 

anyway. I saw that you removed our domain in the 44.x and 45.x branch. 
it would be perfect, if that's also possible for 43.x until the final release.
otherwise: issue fixed :-)

cheers from Zurich.
Blocking: chromium:527947
Labels: Hotlist-HSTS-Preload-Removals
Summary: Remove domain from the HSTS Preload list (was: Remove my domain from HSTS Preload list )
Blocking: -527947
Components: Internals>Network>DomainSecurityPolicy

Sign in to add a comment