Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Verified
Owner:
Closed: Aug 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug


Participants' hotlists:
HSTS-Preload


Sign in to add a comment
HSTS preload list change for carbonmade.com
Reported by ja...@carbonmade.com, Aug 10 2015 Back to list
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

Steps to reproduce the problem:
We inadvertently broke some of our customers websites hosted being accessed as third level subdomains of carbonmade.com by getting listed in the HSTS preload list. 

For example:  https://www.dave.carbonmade.com/

We looked into SSL certificate that support multiple levels (i.e. *.*.carbonmade.com), and while this looks to conform to RFC 2818, it doesn't look like any major browsers (including Chrome) will validate them.

What is the expected behavior?
Load third level domains requested over HTTP over HTTP for carbonmade.com. 

If possible: we'd like to maintain our HSTS entry for our top level domain carbonmade.com. i.e. include_subdomains = false.

carbonmade.com is currently listed on line 2435 of the following file:
https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=1565

What went wrong?
We jumped the gun getting listed in the HSTS list without understanding the consequences to our third level domains. Sorry guys.

Did this work before? N/A 

Chrome version: 44.0.2403.130  Channel: stable
OS Version: OS X 10.10.4
Flash Version: Shockwave Flash 18.0 r0
 
Comment 1 by b...@chromium.org, Aug 10 2015
Cc: davidben@chromium.org
Labels: Cr-Internals-Network-SSL
David: please help, I do not know what the procedure is for modifying HSTS entries.  Thanks.
Owner: lgar...@chromium.org
Status: Assigned
I think lgarron is managing the HSTS preload these days.
Hi lgarron, Let me know if there's any other details I can provide to get this change applied to the chromium source. I know it takes a while for these to go through the proper release channels.

- Jason
Cc: agl@chromium.org
Thanks for the poke. 

agl@: The only preloaded entries with `"include_subdomains": false` are the Yahoo! bunch.
Would you be alright with changing an individual domain to "include_subdomains": false in-place, or would you prefer to remove it completely?
Comment 5 by agl@google.com, Aug 12 2015
Tweaking the include_subdomains flag is fine in this case.
Status: Fixed
Jason: The update should be in the next Canary build. Let us know whether it's fixed tomorrow.
Status: Verified
Landed in 46.0.2482.0 (Canary).

(Note the 302 instead of 307.)
Screen Shot 2015-08-14 at 10.50.31.png
362 KB View Download
Screen Shot 2015-08-14 at 10.50.27.png
185 KB View Download
Tested and verified as well. Many thanks for getting this updated. - Jason
Blocking: chromium:527947
Labels: Hotlist-HSTS-Preload-Removals
Blocking: -527947
Components: Internals>Network>DomainSecurityPolicy
Components: -Internals>Network>SSL
Sign in to add a comment