- From: Rob Sayre <sayrer@gmail.com>
- Date: Fri, 7 Feb 2020 17:03:18 -0800
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Saturday, 8 February 2020 01:03:51 UTC
Hi, I reported a bug that found HSTS not present for .app, .dev and several other TLDs in Safari on all operating systems, as well as Chrome, Firefox, and Edge on iOS. https://bugs.webkit.org/show_bug.cgi?id=202925 [perhaps still private] Google made the issue public about a month ago without asking me: https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44 A commenter on the Chromium bug maintains that this issue is not a bug. However, this issue was responsibly reported, and fixed in iOS 13.3 and contemporaneous releases on other operating systems: https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes It wasn't exactly a clever exploit (I noticed a .app ___domain that shouldn't have loaded over http), but perhaps there should be more careful monitoring of HSTS preload lists. At least 600k domains were impacted. thanks, Rob
Received on Saturday, 8 February 2020 01:03:51 UTC