hstspreload.org icon indicating copy to clipboard operation
hstspreload.org copied to clipboard

Published 20 hours ago verified publisher icon chromium

case sensitive test failure

Open hdatma opened this issue 7 years ago • 1 comments

The current test at https://hstspreload.org returns the following on a domain.

Error: HTTP does not redirect to HTTPS
http://oneexample.com (HTTP) redirects to https://OneExample.com/. The first redirect from
http://OneExample.com should be to a secure page on the same host (https://oneexample.com).

hdatma avatar May 16 '17 16:05 hdatma

I can't seem to connect to oneexample.com, so I can't verify. (Or is that just meant to be a fake example domain?)

I presume this is because you're asking about a site that doesn't send a lowercase host in the Location header.

I'm happy to accept a PR to https://github.com/chromium/hstspreload that canonicalizes the host for the comparison, along with documentation that the canonicalization covers all reasonable cases (preferably compared to some spec): https://github.com/chromium/hstspreload/blob/0fa929eeb076935b815dd80b91b87b35aad1be49/redirects.go#L105

However, since a site can fix this themselves (and thousands of sites haven't had an issue with the current implementation), it's not a high priority for me personally.

lgarron avatar May 16 '17 20:05 lgarron