Opened on 08/12/2014 at 09:13:16 AM
Last modified on 12/21/2017 at 11:29:28 AM
#1194 new change
Submit adblockplus.org to be included in Chrome's HSTS preload list
| Reported by: | greiner | Assignee: | |
|---|---|---|---|
| Priority: | P3 | Milestone: | |
| Module: | Infrastructure | Keywords: | |
| Cc: | fhd, matze | Blocked By: | #1543 |
| Blocking: | Platform: | Chrome | |
| Ready: | yes | Confidential: | no |
| Tester: | Verified working: | no | |
| Review URL(s): | |||
Description
Background
The Chrome team provides a form which allows domain owners to submit their sites for inclusion in a list that tells the browser that the site is HTTPS-only. According to them "Firefox and Safari also have a preloaded list which feeds from the Chrome list."
What to change
- All pages on adblockplus.org (including subdomains) have to use HTTPS for a successful inclusion so check whether there are any pages which are running on plain HTTP.
- If that is the case, make sure that they will also work fine when using HTTPS and make them use HTTPS after that.
- Modify the Strict-Transport-Security for any pages on adblockplus.org (including subdomains) to include includeSubDomains and preload tags and a max-age tag with a value larger than 10886399.
- Make sure that any redirects also include the Strict-Transport-Security header.
- Go to https://hstspreload.appspot.com/ and submit adblockplus.org for inclusion in the list.
Attachments (0)
Change History (4)
comment:1 Changed on 08/12/2014 at 01:10:27 PM by trev
- Blocked By 51 added
- Ready set
comment:2 Changed on 11/06/2014 at 06:12:59 PM by matze
- Cc matze added
comment:3 Changed on 11/11/2014 at 10:28:34 PM by trev
- Blocked By 1543 added; 51 removed
comment:4 Changed on 12/21/2017 at 11:29:28 AM by fhd
- Cc trev removed
Note: See
TracTickets for help on using
tickets.
This is blocked by #51 - codereview.adblockplus.org is currently the only subdomain without HTTPS support. We cannot turn HTTPS on as long as we don't host it.