Follow-up Comment #7, sr #109089 (project administration): gnu.org and www.gnu.org have indeed enabled HSTS. The headers are:
HTTP/1.1 200 OK Date: Sun, 17 Jul 2016 05:41:27 GMT Server: Apache/2.4.7 Content-Location: home.html Vary: negotiate,accept-language,Accept-Encoding TCN: choice Strict-Transport-Security: max-age=63072000 Access-Control-Allow-Origin: (null) Accept-Ranges: bytes Cache-Control: max-age=0 Expires: Sun, 17 Jul 2016 05:41:27 GMT Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Content-Language: en However that does not include includeSubDomains directive. Therefore it should not apply to subdomains. See RFC 6797. I tested this using both Firefox and Chromium. I first went to https://gnu.org/ which redirects to https://www.gnu.org/ to set up the environment with HSTS. Then I went to http://git.savannah.gnu.org/cgit/coreutils.git to see what it would do in both of those browsers. Both went to http and neither went to https. I don't know what is going on yet. We will have to keep looking. _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/support/?109089> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/
