I think there might be a more specific issue here since GitHub have re-deployed their Expect CT policy using the correct delimiter (`,` instead of the previous `;`) and it now appears to be working via chrome://net-internals#hsts even though it is a report only policy. However, looking at facebook.com it is already using the correct delimiter in report only mode however it isn't being shown via chrome://net-internals#hsts.

Chrome version: 64.0.3246.0 (OSX)

Oops, my mistake. It looks like things are working fine -- the trick is that facebook's policy is on www.facebook.com, not facebook.com. The former domain shows up as expected in chrome://net-internals.

Unfortunately I'm still not getting the expected results (using www.facebook.com). Screenshot is attached.

I'm also unable to see it on our domain (themeforest.net) which has been updated to use the correct delimiter. Is there another requirement here for this to work that I'm missing? A requirement on `max-age` or such?

My Chrome version has been bumped ever so slightly to 64.0.3247.0.

Deleted: ybyat.jpg 37.1 KB

	ybyat.jpg 37.1 KB View Download

It looks like you're serving a max-age of 0 on themeforest.net, so the Expect-CT entry won't get stored (or will get deleted immediately). Similarly, www.facebook.com has a pretty short max-age, is it possible it's expiring before you're querying for it?

You are spot on :) Thanks for the explanation and can confirm it is as expected.