HSTS preload list removals for Chrome 59.

Desktop / Chromium - Lucas Garron [chromium.org] - 13 April 2017 23:35 EDT

1p.ro: > We cannot support HTTPS as this is a home, personal domain, and HTTPS was only > enabled to test some features. Additionally there are some internal subdomains > that run on HTTP only and now cannot be accessed on Chrome. > > The settings were erroneously copy-pasted from https://cipherli.st/ but now > all websites settings have been updated to clear the „preload” and the > „include subdomains” flags.

visage.ch, quirino.ch, designpilot.ch: > • webmail - The configuration is on the server in a different directory, we > have not access to this directory, it is a shared hosting

tomask.info: > We cannot support HTTPS on all subdomains, because my new hosting supports only one certificate per domain (Let's Encrypt).

ahrq.gov: > • [*.ahrq.gov] – we never intended to be preloaded, our domain was sending an > HSTS header with the preload directive as a test to comply with the federal > government’s HTTPS-Only standard. We now realize that by ahrq.gov sending the > preload directive in an HSTS header, it was considered to be requesting > inclusion in the preload list.

falkena.net: > • falkena.net - I didn't know what I was doing and how severe the preload > directive in the Header would be. I'm using a raspberry pi to host a small > website and having reinstalled my pi, I wanted to use letsencrypt to > regenerate the certificates. Turns out there is a ACME validation step which > now fails, because each time they try to access http://falkena.net it gets > converted to https://falkena.net which doesn't have a valid certificate. Next > time I will stick to dynamic HSTS, rather than static.

eisp.it: > We do support https on our domain and subdomains but we would still like to be > able to access them if the certificate is not timely renewed, like now, or for > other reasons. I never intended to have our domain preloaded, I never even > made the request but I did by mistake add the preload option in our > configuration, while testing the config, but I honestly didn't know it would > "send" the preload request anyway.

inwesttitle.com: > We cannot support HTTPS on internal subdomains on some machines as they can > not be updated, but we still need to access them locally. We set this up > mostly because it was something that was recommended through ssllabs and > suggestions made from websites about HSTS, but didn't realize how many things > it would affect.

coronelpicanha.com.br, ilhadocaranguejo.com.br, mvixturismo.com.br: > We no longer support HTTPS, because the some mobile devices don't load > properly our websites.

BUG=527947 TBR=palmer@chromium.org

Review-Url: https://codereview.chromium.org/2732883005 . Cr-Commit-Position: refs/heads/master@{#464668}

3467ad5 HSTS preload list removals for Chrome 59.
net/http/transport_security_state_static.json | 12 ------------
1 file changed, 12 deletions(-)

Upstream: git.chromium.org


  • Share