From a32e0cb8c787b42e78e6a2c977523eff866436ca Mon Sep 17 00:00:00 2001 From: trav90 Date: Tue, 5 Jun 2018 22:23:30 -0500 Subject: Update HSTS preload list generation script Previous behavior: if an entry was in the previously-used list, and there would be an error connecting to or processing the host, it would adopt it using the previous status, with a new minimum required max age TTL. New behavior: if an entry is in the previously-used list, and there is an error connecting to or processing the host, it will be dropped from the preload list. The old behavior would allow entries to persist on the HSTS preload list when they drop off the 'net. Considering domain churn, it would cause issues for new owners for having a persisted HSTS entry preloaded in the browser. Bonus: it keeps our HSTS preload list lean. --- security/manager/tools/getHSTSPreloadList.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'security/manager') diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js index 5b950f938..26fad8a89 100644 --- a/security/manager/tools/getHSTSPreloadList.js +++ b/security/manager/tools/getHSTSPreloadList.js @@ -261,16 +261,15 @@ function output(sortedStatuses, currentList) { for (let status in sortedStatuses) { // If we've encountered an error for this entry (other than the site not - // sending an HSTS header), be safe and don't remove it from the list - // (given that it was already on the list). + // sending an HSTS header), be safe and remove it from the list + // (preventing stale entries from accumulating). if (status.error != ERROR_NONE && status.error != ERROR_NO_HSTS_HEADER && status.error != ERROR_MAX_AGE_TOO_LOW && status.name in currentList) { - dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n"); + dump("INFO: error connecting to or processing " + status.name + " - dropping from list\n"); writeTo(status.name + ": " + errorToString(status) + "\n", eos); - status.maxAge = MINIMUM_REQUIRED_MAX_AGE; - status.includeSubdomains = currentList[status.name]; + status.maxAge = 0; } } -- cgit v1.2.3