#34: HSTS cache manipulation and misuse by server enabled by wildcard cert
Changes (by jeff.hodges@…):
* status: new = closed
* resolution: = fixed
--
-+-
Reporter: | Owner:
Adam wondered..
Why not just postMessage of the HTML form element? If you want be
more sneaky about it, you can just the HTTP cache. Anyway, web sites
are allowed to send messages to each other.
Yeah. I submitted that item for completeness-sake, it'd gotten shuffled deep
in the
Interesting.
But I don't see how subdomains help. If I have a website called
charcount-5.example.com, and I use a wildcard *.example.com certificate, the
HSTS entry is still written for charcount-5.example.com. Adding subdomains
would affect *.charcount-5.example.com, not 0-H.example.com.
I
Why not just postMessage of the HTML form element? If you want be
more sneaky about it, you can just the HTTP cache. Anyway, web sites
are allowed to send messages to each other.
Adam
On Sat, Jan 14, 2012 at 6:52 PM, websec issue tracker
trac+web...@trac.tools.ietf.org wrote:
#34: HSTS cache