New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit 16 days ago
Closed: Aug 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug


Participants' hotlists:
HSTS-Preload


Sign in to add a comment

HSTS preload list change for carbonmade.com

Reported by ja...@carbonmade.com, Aug 10 2015

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

Steps to reproduce the problem:
We inadvertently broke some of our customers websites hosted being accessed as third level subdomains of carbonmade.com by getting listed in the HSTS preload list. 

For example:  https://www.dave.carbonmade.com/

We looked into SSL certificate that support multiple levels (i.e. *.*.carbonmade.com), and while this looks to conform to RFC 2818, it doesn't look like any major browsers (including Chrome) will validate them.

What is the expected behavior?
Load third level domains requested over HTTP over HTTP for carbonmade.com. 

If possible: we'd like to maintain our HSTS entry for our top level domain carbonmade.com. i.e. include_subdomains = false.

carbonmade.com is currently listed on line 2435 of the following file:
https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=1565

What went wrong?
We jumped the gun getting listed in the HSTS list without understanding the consequences to our third level domains. Sorry guys.

Did this work before? N/A 

Chrome version: 44.0.2403.130  Channel: stable
OS Version: OS X 10.10.4
Flash Version: Shockwave Flash 18.0 r0
 

Comment 1 by b...@chromium.org, Aug 10 2015

Cc: davidben@chromium.org
Labels: Cr-Internals-Network-SSL
David: please help, I do not know what the procedure is for modifying HSTS entries.  Thanks.
Owner: lgar...@chromium.org
Status: Assigned
I think lgarron is managing the HSTS preload these days.
Hi lgarron, Let me know if there's any other details I can provide to get this change applied to the chromium source. I know it takes a while for these to go through the proper release channels.

- Jason
Cc: agl@chromium.org
Thanks for the poke. 

agl@: The only preloaded entries with `"include_subdomains": false` are the Yahoo! bunch.
Would you be alright with changing an individual domain to "include_subdomains": false in-place, or would you prefer to remove it completely?

Comment 5 by agl@google.com, Aug 12 2015

Tweaking the include_subdomains flag is fine in this case.
Status: Fixed
Jason: The update should be in the next Canary build. Let us know whether it's fixed tomorrow.
Status: Verified
Landed in 46.0.2482.0 (Canary).

(Note the 302 instead of 307.)
Screen Shot 2015-08-14 at 10.50.31.png
362 KB View Download
Screen Shot 2015-08-14 at 10.50.27.png
185 KB View Download
Tested and verified as well. Many thanks for getting this updated. - Jason
Blocking: chromium:527947
Labels: Hotlist-HSTS-Preload-Removals
Blocking: -527947
Components: Internals>Network>DomainSecurityPolicy
Components: -Internals>Network>SSL

Sign in to add a comment