Merge time-sensitive HSTS preload list changes to M51 |
|||||
Issue descriptionThis is the M51 version of Issue 601561 . I would like to request a merge of the following two commits to Chrome 51: - https://chromium.googlesource.com/chromium/src/+/d2bdb307d12f0ed4ae4296b72795342f53d11743 - https://chromium.googlesource.com/chromium/src/+/d275537a5620721420d9008ae138fc92d887082c Reasoning (copied from https://crbug.com/601561#c2 ): Although the commits contain a large diff of static data, this data is auto-generated using a process that has been working reliably for the last 2 years. Therefore, the merge is semantically equivalent to removing just those 5 sites from transport_security_state_static.json.
,
May 19 2016
,
May 19 2016
All. The first change is baked. However, as mentioned above, this is a routine process that not caused any trouble before.
,
May 19 2016
(That said, I'm happy to wait until tomorrow to bake the second change if tomorrow is just as good for merging.)
,
May 19 2016
Thank you lgarron@. Approving merge to M51 branch 2704 based on comment #3. Tomorrow before 5:00 PM PST is good for merging too but as it is safe you can merge anytime. Thank you.
,
May 20 2016
Second change is also baked. Will merge right now.
,
May 20 2016
Cross-post from https://crbug.com/527947#c44 : ------------------------------- The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/141931adad025d4577cbac51bcdca75f739f8d3f commit 141931adad025d4577cbac51bcdca75f739f8d3f Author: Lucas Garron <lgarron@chromium.org> Date: Fri May 20 20:43:14 2016 HSTS preload list removals for Chrome 52. Reasons given: sixt.{ch, co.uk, com, com.br, de}: > These HSTS headers (includeSubdomains and preload) were set without > thinking about the consequences in our IT infrastructure and the > affected external hosted sites. apiomat.com: > we need to be removed from the Chrome's preload list as soon as > possible, because some of our subdomains don't have HTTPS. Those are > mostly for internal use and so there is no need the use HTTPS (cost > reasons). We only wanted to use HSTS for our main domain (apiomat.com) > but not for the subdomains. flanco.ro: > Our dev team who manages the our public website has mistakenly > configured the preload function + include_includesubdomains. This > feature has blocked our internal websites as well, even if the don’t > use SSL at all. :( mpac.ca: > Please remove mpac.ca from the HSTS preload list, as the header was > added with the includeSubDomains flag by mistake. Both internal and > external systems share the same apex domain, and it is not possible to > move all internal systems to https in the near future. truweight.in: > Some of my sub-domains e.g. loseweight.truweight.in are actually > hosted by third parties such as leadsquared, unbounce, which do not > support https. 2e-systems.com: > we incorrectly announced HSTS for the complete domain, but we are not > yet ready, there are several internal sites available only over VPN > that we forgot about, so if you can please remove us from the > preloaded list. macaque.io: > We are using campaign monitor for our email marketing platform and > utilising a vanity url of http://macmail.macaque.io. Because we cannot > implement https on this platform we would like to be removed from the > hsts preload list. fless.co.uk: > The domain fless.co.uk runs a url based dynamic proxy on multiple > levels of subdomains so can't be covered by a wildcard certificate. > While the fless.co.uk will return to using hsts once resolved, the > subdomains can't be maintained with hsts. carthage.edu: > we have a few subdomains that are not yet https and that is causing a > bit of a stir. matspar.com, matspar.se: > One of our subdomains, exportera.matspar.se and exportera.matspar.com > needs to be able to be served over http, we did not plan for this ever > to be the case initially. aiflab.com > We don't want to HSTS preload all time. We will manually make https > when we need. but, forcing HSTS preload is panic now-a-days. rushball.net, hiphop.ren: > these domains is no https now lightspeed.com: > We initially included this for all subdomains but that affects > internal servers we have that don’t have ssl certificates required. ceu.edu: > [...] we wanted to force browsers to use https when visiting our main > website. However we now see that unfortunately we have some other > subdomains on other web servers where implementation of SSL is > problematic or delayed, and in the new version of chrome these sites > do not load. end.io: > Please can you remove it as I am the webmaster and it is breaking the > site. alastyr.com: > We use this domain our main domain for hosting services, we provide to > customer non-ssl web services, customers did not connect via Chrome or similar > web browsers. mobocasino.com: >I'd like to remove us because we employ subdomains (other than www) over http >which we cannot serve over https for cost reasons. compuscan.co.za: > We have a few services running internally on HTTP and HSTS is “breaking” this > for us via Chrome browsers. No citable reason for the following. :-() - wover.me - ono.es BUG= 527947 TBR=palmer@chromium.org Review URL: https://codereview.chromium.org/1888913004 . Cr-Commit-Position: refs/heads/master@{#394582} (cherry picked from commit d2bdb307d12f0ed4ae4296b72795342f53d11743) Review URL: https://codereview.chromium.org/2004583002 . Cr-Commit-Position: refs/branch-heads/2704@{#624} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/141931adad025d4577cbac51bcdca75f739f8d3f/net/http/transport_security_state_static.h [modify] https://crrev.com/141931adad025d4577cbac51bcdca75f739f8d3f/net/http/transport_security_state_static.json
,
May 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2c6c1248f99c03a870a0f7fed80dfa4d7392b5e8 commit 2c6c1248f99c03a870a0f7fed80dfa4d7392b5e8 Author: Lucas Garron <lgarron@chromium.org> Date: Fri May 20 20:59:24 2016 Add login.gov to the HSTS preload list. By special request from Eric Mill (of 18F). login.gov does not exist, but it will be created very soon. BUG= 613292 TBR=palmer@chromium.org Review URL: https://codereview.chromium.org/1992813005 . Cr-Commit-Position: refs/heads/master@{#394693} (cherry picked from commit d275537a5620721420d9008ae138fc92d887082c) Review URL: https://codereview.chromium.org/1999233002 . Cr-Commit-Position: refs/branch-heads/2704@{#625} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/2c6c1248f99c03a870a0f7fed80dfa4d7392b5e8/net/http/transport_security_state_static.h [modify] https://crrev.com/2c6c1248f99c03a870a0f7fed80dfa4d7392b5e8/net/http/transport_security_state_static.json
,
May 20 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by gov...@chromium.org
, May 19 2016