Clarify that HSTS policy applies to entire host (all ports)

[jeff.hodges@…]

Clarify and make more explicit that HSTS policy applies to entire host (all ports).

Also include security rationale, e.g. Secure-flagged cookie eavesdropping, XSS vulns, etc.

[jeff.hodges@…]

add reference to "Beware Finer-grained Origins" <​http://www.adambarth.com/papers/2008/jackson-barth-b.pdf>

[jeff.hodges@…]

​http://www.ietf.org/mail-archive/web/websec/current/msg00041.html

Subject: [websec] HSTS -- what about ports?
From: Daniel Veditz <dveditz@…>
Date: Sat, 20 Nov 2010 22:29:48 -0800
To: websec@…

The HSTS spec needs to be more clear about how to handle multiple
servers running on different ports on the same host. I think, by
referring to host name matching only, that the intent of the spec is
that a server running on any port can set HSTS behavior for every
other port on that host. If this is correct it might be clearer to
rename "HSTS Server" to "HSTS Host" and to somewhere in the spec
mention explicitly that the port is ignored when matching host names.

An alternate behavior would be that a server running on port X only
specifies the behavior for that port, with a special case for the
default ports 80/443 because they go unspecified. This would make
sense from a security POV only if cookies were port-specific (with
again a special case for the unspecified default ports), but I don't
believe any browser implements cookies in that way. Handling HSTS in
a port-specific manner also complicates the meaning of
includeSubDomains.

###