Run a daily status scan of the official preload list. #35
Comments
|
While I see the need to remove old entries, I am worried about the requirements for the HSTS preload list constantly changing. As a website owner, I won't be visting the HSTS preload page every week so my site may just be removed from the preload list without warning and I won't notice it until many months later. If you want to be stricter to ensure the list doesn't get too long, may I suggest some kind of notification? E.g. if a site no longer meets the requirements, send an e-mail notification to the owner so he can fix it? Website owners could just include their e-mail address when submitting their site. If that's not possible, I guess I could set up a weekly cronjob that queries if my site is still preloaded. Is this the correct way to check the preload status? https://hstspreload.appspot.com/status?domain=example.com |
The requirements were not properly codified until recently, and they themselves are not likely to change much. In particular, if we start pruning the list we know we have to be very careful about applying new requirements to old sites.
We explicitly don't collect emails for the preload list. We've talked about an
Yes, I would suggest using that URL. (However, be prepared for a potential redirect from that URL in the future.) |
|
Sounds fine, thanks very much for the reply! I'll just set up a cronjob, that works for us. |
|
An idea that I have jotted down somewhere: log the certificate we see when connecting to a site in the scan (or at least log an SPKI hash). |
|
Manually run scans are at https://github.com/lgarron/hstspreload-scans for now. |
Note that I've upgraded this to automatic scans running since December 23. However, the data is not appropriate for a git repo (already multiple gigs uncompressed). I will backfill it into a Google Cloud Storage bucket once I debug the cron job to do it automatically in the cloud. |
For https://crbug.com/608599
The text was updated successfully, but these errors were encountered: