Looks like a feature request, looping to folks involved.

www.tumblr.com qualifies for a manual exception: https://github.com/chromium/hstspreload.org/wiki/Preload-List-Processes#requirements-for-manual-hsts-entries

In order to preload www.tumblr.com for HSTS, could you:
- add the `preload` the HSTS header, and
- add `includeSubDdomains` to the HSTS header or explain why there are subdomains that cannot work with HSTS?

In order to preload www.tumblr.com for HPKP, could you:
- provide full certificate or SPKI values in PEM format, as in [1], corresponding to the dynamic header hashes, and
- add the `preload` directive to the HPKP header?

I can then add the entry.
Thanks,
»Lucas

[1] https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.pins

Thank you Lucas for the followup.

As an update from our end, we've added `preload` to both the HSTS and HPKP headers for www.tumblr.com. I was unable to find `preload` in the RFC or several online docs for HPKP, but I did manage to see one article that outlines it. As it doesn't appear to affect browsers support of it, we've included it =]

In regards to `includeSubDomains`, we are currently unable to include this directive. We have several hundred million subdomains at *.tumblr.com, a number which grows daily. While a large, very large, percentage now have SSL enabled, there is still a decent percentage of legacy domains that do not and can't at the current time. We currently have an effort underway to get the entire *.tumblr.com subdomain list served over SSL, but this may take a little while longer (read: months).

As for the PEM, I'll have that uploaded here shortly - but please let me know if you need any additional information other than the above as well.

Thanks,
Joey

Okay, that sounds like a good justification for not including subdomains right now. Good luck with the subdomains!

HSTS: I've verified that all the other requirements are met, and will preload it with the next batch.
HPKP: Thanks! Checking right now, I don't see and HPKP header at https://www.tumblr.com 

As for the `preload` directive, we need to get around to standardizing it: Issue 591212
Unfortunately, it's not a high priority compared to other preload/HSTS work. :-/

Ping on the certificates/SPKIs. :-)

Sorry for the delay, been a bit hectic schedule-wise here - we'll get those over to you soon; as for the HPKP header at https://www.tumblr.com, I think I've found out the one place where it doesn't show (the initial 302 redirect that occurs when you navigate to `/`).

We'll have that patched shortly too, but for initial verification you should see the following on any other request (including the page that `/` redirects to):

Public-Key-Pins:pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="avlD96PLERV78IN1fD+ab5cupkUDD9wTZWJjHX6VC9w="; max-age=2592000; report-uri="https://cspreports.srvcs.tumblr.com/hpkp"; preload

Sorry again for the delay; attached are the PEM files for our pinned certs. Please let me know if there are any issues with the PEM files or if anything else is needed.

Thanks,
Joey

Deleted: digicertroot.pem 1.3 KB

digicertroot.pem 1.3 KB Download

Deleted: digicertleaf.pem 4.3 KB

digicertleaf.pem 4.3 KB Download

Deleted: digicertint.pem 1.6 KB

digicertint.pem 1.6 KB Download

Deleted: backup_key.pem 451 bytes

backup_key.pem 451 bytes Download

Ping for an update =]

I'll try to do this by October 12 for Chrome 63. :-)

I've added www.tumblr.com based on its headers here:

https://chromium-review.googlesource.com/c/chromium/src/+/714122

Pins:

    {
      "name": "tumblr",
      "static_spki_hashes": [
        "DigiCertEVRoot",
        "DigiCertSHA2HighAssuranceServerCA",
        "TumblrBackup"
      ],
      "report_uri": "https://cspreports.srvcs.tumblr.com/hpkp"
    }

Entry:

    {
      "name": "www.tumblr.com",
      "mode": "force-https", "include_subdomains": false,
      "include_subdomains_for_pinning": true, "pins": "tumblr"
    },

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb20f7ee18308d4249be3bb6202a0be4820b2183

commit fb20f7ee18308d4249be3bb6202a0be4820b2183
Author: Lucas Garron <lgarron@chromium.org>
Date: Thu Oct 12 00:09:48 2017

Preload HSTS and HPKP for www.tumblr.com .

TBR=palmer@chromium.org

Bug:  745781 
Change-Id: Ie6f6370f45b842165d14b2c1ea6ffa203643027e
Reviewed-on: https://chromium-review.googlesource.com/714122
Reviewed-by: Lucas Garron <lgarron@chromium.org>
Commit-Queue: Lucas Garron <lgarron@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508184}
[modify] https://crrev.com/fb20f7ee18308d4249be3bb6202a0be4820b2183/net/http/transport_security_state_static.json
[modify] https://crrev.com/fb20f7ee18308d4249be3bb6202a0be4820b2183/net/http/transport_security_state_static.pins

Oh that's great news! Is there anything you need from me for this, or will the merge occur with necessary approvals on your end?

You should be able to observe the change in the latest Canary, and it should make it into Chrome 63.

Let me know if any of the values need to be tweaked (or if e.g. you want to preload tumblr.com itself, without subdomains).

This is great, I think everything looks good!

We actually *do* want to preload tumblr.com (without subdomains); but we just realized that we're redirecting from http://tumblr.com to https://www.tumblr.com (without a stop at https://tumblr.com for the hsts/hpkp headers), so we need to put out a patch for that first.

Any chance to leave this ticket open for a little while longer, or should I open another?

Sure!

Tumblr folks-- Please let me know when you're reading to add the bare tumblr.com domain to the preload list.

Closing due to lack of action. When the site is ready, it can be added via https://hstspreload.org or by contacting us through that site.