- From: John Wilander <notifications@github.com>
- Date: Mon, 18 May 2020 13:09:34 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 18 May 2020 20:09:47 UTC
> @johnwilander I have another question. If I navigate to `example.com` and that embeds `elsewhere.invalid` in a frame. Both attempt to set HSTS, does only `example.com` succeed? > > The blog post focuses primarily on subdomains which throws me off a bit. I don’t know what the “invalid” TLD signals, but Safari only allows first parties to set HSTS and has done so since 2013, I believe. This basic rule was mentioned in our email to IETF WebSec: https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE/ -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/920#issuecomment-630409041
Received on Monday, 18 May 2020 20:09:47 UTC