How should we handle HSTS headers and HTTP redirects in the redirect chain?

[jsf9k]

🐛 Bug Report

The current pshtt logic that examines the HSTS headers gives credit if any HSTS header encountered in the redirect chain involves the initial endpoint/hostname. If the redirect chain goes on to send the user to an HTTP URL on an entirely different domain for which the browser has never seen an HSTS header, then it seems to me that the user is not being protected by the HSTS header.

How should we handle this case?

Please also see the discussion here in #193.

[mcdonnnj]

I believe that credit for a domain should only be given in cases where the STS header is for that domain, or in the case of a subdomain, if a superdomain serves an STS header with the includeSubDomains directive. I agree with @jsf9k that if the STS header is served on a redirect URI that does not match the above cases then the original domain should not receive credit for using HSTS.

[echudow]

in the case of a subdomain, if a superdomain serves an STS header with the includeSubDomains directive.

I don't think we currently check superdomains to see if they include the includeSubDomains directive.

if the STS header is served on a redirect URI that does not match the above cases then the original domain should not receive credit for using HSTS.

Yes, #193 already only gives credit if the original domain uses HSTS, but allows for that to be later on in the redirect chain on the same domain. I think the question here is if a domain should get credit for HSTS when it uses HSTS itself, but then redirects to other domains that don't use HSTS. In that case, should the original domain's credit for HSTS be removed?