![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 11 years ago
Closed 10 years ago
#28 closed defect (fixed)
HSTS spec unclear about the denotation of "HSTS policy"
| Reported by: | jeff.hodges@… | Owned by: | draft-ietf-websec-strict-transport-sec@… |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | strict-transport-sec | Version: | |
| Severity: | - | Keywords: | |
| Cc: |
Description
Strict-Transport-Security syntax and effective request URI def [StPeter?]
https://www.ietf.org/mail-archive/web/websec/current/msg00476.html
The document is a bit unclear about the denotation of "HSTS policy".
Sometimes it refers to the site's policy and sometimes to the overall
recommendations defined in the spec.
This specification also incorporates notions
from [JacksonBarth2008] in that the HSTS policy is applied on an
"entire-host" basis: it applies to all TCP ports on the host.
Additionally, HSTS policy can be applied to the entire domain name
subtree rooted at a given host name. This enables HSTS to protect
so-called "domain cookies", which are applied to all subdomains of a
given domain.
Perhaps it would be helpful to contrast the all ports and entire subtree
principles with the same origin policy also being worked on in this WG,
with an informational reference to the appropriate spec.
Change History (1)
comment:1 Changed 10 years ago by jeff.hodges@…
- Resolution set to fixed
- Status changed from new to closed
