Comment by bonki
2 months ago
I don't understand the HSTS part/situation. If trailing dot vs. non-trailing dot are to be treated as different identities because they could theoretically serve different vhosts, why is it (technically) not correct to ignore HSTS for one if only set by the other?
I assume a big reason is cookies, which are specced to be shared across the two versions: an attacker could relatively trivially trigger a request to http://example.com. which would get example.com's cookies, but not the HSTS upgrade that would prevent them from being sent in plaintext.
That makes sense. What a stupid mess all of this is.