case sensitive test failure

Question

case sensitive test failure

Opened this issue 7 years ago · 1 comments

The current test at https://hstspreload.org returns the following on a domain.

Error: HTTP does not redirect to HTTPS
http://oneexample.com (HTTP) redirects to https://OneExample.com/. The first redirect from
http://OneExample.com should be to a secure page on the same host (https://oneexample.com).

Answer 1 · 2017-05-16T20:20:23.000Z

I can't seem to connect to oneexample.com, so I can't verify. (Or is that just meant to be a fake example domain?)

I presume this is because you're asking about a site that doesn't send a lowercase host in the Location header.

I'm happy to accept a PR to https://github.com/chromium/hstspreload that canonicalizes the host for the comparison, along with documentation that the canonicalization covers all reasonable cases (preferably compared to some spec): https://github.com/chromium/hstspreload/blob/0fa929eeb076935b815dd80b91b87b35aad1be49/redirects.go#L105

However, since a site can fix this themselves (and thousands of sites haven't had an issue with the current implementation), it's not a high priority for me personally.