Expect-CT net-internals doesn't seem to work on report-only policies |
||
Issue descriptionThe Query Expect-CT section on chrome://net-internals#hsts doesn't seem to work for report-only policies like on github.com and facebook.com.
,
Oct 23 2017
Oops, my mistake. It looks like things are working fine -- the trick is that facebook's policy is on www.facebook.com, not facebook.com. The former domain shows up as expected in chrome://net-internals.
,
Oct 23 2017
Unfortunately I'm still not getting the expected results (using www.facebook.com). Screenshot is attached. I'm also unable to see it on our domain (themeforest.net) which has been updated to use the correct delimiter. Is there another requirement here for this to work that I'm missing? A requirement on `max-age` or such? My Chrome version has been bumped ever so slightly to 64.0.3247.0.
,
Oct 23 2017
It looks like you're serving a max-age of 0 on themeforest.net, so the Expect-CT entry won't get stored (or will get deleted immediately). Similarly, www.facebook.com has a pretty short max-age, is it possible it's expiring before you're querying for it?
,
Oct 23 2017
You are spot on :) Thanks for the explanation and can confirm it is as expected. |
||
►
Sign in to add a comment |
||
Comment 1 by jacob.be...@gmail.com
, Oct 22 2017