Misleading results for subdomains and preloaded TLDs

Question

Misleading results for subdomains and preloaded TLDs

ericlaw1979 opened this issue 7 years ago · 6 comments

ericlaw1979 commented 7 years ago

Repro:

Visit hstspreload.org
Enter blog.google and hit Enter

Expect:
This domain is preloaded

Actual:
Claims it's not preloaded.

This was recently fixed in the HSTSPreload API, but that change doesn't impact the website. Discussion of this limitation is here: chromium/hstspreload#102 (comment)

Answer 1 · 2018-03-01T22:08:35.000Z

The same issue can be seen if you query a subdomain of a preloaded eTLD+1, e.g. Status: www.bayden.com is not preloaded. despite the fact that "bayden.com" is preloaded.

Answer 2 · 2018-03-01T22:15:05.000Z

As a hacky workaround, I suppose we could just issue more queries; dropping one leading TLD label each time.

Answer 3 · 2018-03-02T01:57:26.000Z

#52 / chromium/hstspreload#85 ?

Answer 4 · 2018-03-02T02:50:00.000Z

The change to hstspreload didn't seem to impact hstspreload.org. I haven't yet dug into why that is.

Answer 5 · 2018-03-13T22:25:33.000Z

The change to hstspreload API doesn't fix the problem on hstspreload.org because the website does not use the API :-D

As I stated on chromium/hstspreload#102 (comment), the website uses its own cache of domain states stored in datastore, supposedly to avoid loading the preload list in each request.

Answer 6 · 2018-05-01T21:30:18.000Z

This has now been fixed by #145