Lucas Garron

Glad to see you preloading these domains! :-D Issues with an outdated publix suffix list happen every once in a while, e.g. https://github.com/chromium/hstspreload/issues/79 The Go package hasn't been updated since...

https://hstspreload.org/?domain=1password.com shows `1password.com` as preloaded! 😊

Oh, wait, that appears to be [listed under the old `bulk-18-weeks` policy](https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json?rcl=b48cdcc3aff8303d494bbe253a59a3e4696320bf&g=0&maxsize=11607328&l=4202). Are you sure it was removed?

Our front page is based on a Material Design Lite example, and it looks pretty alright for me on mobile. We can tweak `initial-scale` if the font is too small...

> Doesn't look too good here. Hmm, that looks significantly worse than any device I've tested, or can emulate in DevTools. What is that screenshot from?

> @lgarron do you remember why 3 was used as maxRedirects in [redirects.go](https://github.com/chromium/hstspreload/blob/be995c98f169479ab1938d94ecad0d95b42ea31a/redirects.go)? It was a fairly arbitrary choice. It seemed fine to pick a low initial value and keep...

> @lgarron @nharper any chance to resolve this so that more sites can be submitted to the HSTS preload list? Given the growth of the list, I would say that...

> While I don't have intentions to argue in favor sites not using TLS, I don't see how the this project should have any authority in adding requirements not defined...

I agree with @martijnc: we shouldn't allow automatic submissions of IPs, but we should detect them and give an appropriate message. (In particular, the fact that dynamic HSTS isn't supported...

> 1. Do .js files as a result of the compilation get checked in, and hope that everyone remembers to compile before committing? (I don't like this approach but has...