- From: Rob Sayre <sayrer@gmail.com>
- Date: Fri, 7 Feb 2020 17:03:18 -0800
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Saturday, 8 February 2020 01:03:51 UTC
Hi, I reported a bug that found HSTS not present for .app, .dev and several other TLDs in Safari on all operating systems, as well as Chrome, Firefox, and Edge on iOS. https://bugs.webkit.org/show_bug.cgi?id=202925 [perhaps still private] Google made the issue public about a month ago without asking me: https://bugs.chromium.org/p/chromium/issues/detail?id=1013612#c44 A commenter on the Chromium bug maintains that this issue is not a bug. However, this issue was responsibly reported, and fixed in iOS 13.3 and contemporaneous releases on other operating systems: https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes It wasn't exactly a clever exploit (I noticed a .app domain that shouldn't have loaded over http), but perhaps there should be more careful monitoring of HSTS preload lists. At least 600k domains were impacted. thanks, Rob
Received on Saturday, 8 February 2020 01:03:51 UTC