Hello! I would like to raise a little bit awareness of the current situation of the HSTS preload list in Firefox. This list (https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc) is seed from a similar list provided by chromium. But at the moment our list is missing about 80 entries, because we require a max-age of 18 weeks. (See https://bugzilla.mozilla.org/show_bug.cgi?id=786417). >From what I gathered is that sites on chromium list often don't know that Firefox provides the same feature or had no idea about the max-age requirement. So I propose we actively reach out to sites removed from our list due to max-age. For example at the moment paypal.com is missing! We should also promote this feature more widely and get more sites onto that list. In the best case we could manage the list ourselves and push life updates that don't depend on a new Firefox version.
Cheers, Tom _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
