Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix wrong error message on Removal page #142

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

xiaoyinl
Copy link
Contributor

The "Status" message on https://hstspreload.org/removal/ page is confusing, e.g. "Status: wikipedia.org is currently preloaded, but no longer meets the requirements. It may be at risk of removal."

This message is clearly for the preload page rather than the removal page.

The "Status" message on https://hstspreload.org/removal/ page is confusing,
e.g. "Status: wikipedia.org is currently preloaded, but no longer meets the
requirements. It may be at risk of removal."

This message is clearly for the preload page rather than the removal page.
@xiaoyinl
Copy link
Contributor Author

@ericlaw1979 Could you please review?

@ericlaw1979
Copy link
Collaborator

It seems like the error message should only potentially omit "It may be at risk of removal." in this scenario, but showing the other status seems fine?

@xiaoyinl
Copy link
Contributor Author

xiaoyinl commented Feb 22, 2018

@ericlaw1979 I think just showing "Status: xxx is currently preloaded" is fine. The code mistakenly treats the error of removal as error of preloading. "But has the following issues" and "but no longer meets the requirements. It may be at risk of removal" make it look like there's an error that may cause the domain to be removed from the preload list, but it's actually fine: the error ("Contains preload directive") prevents the removal, so it's not at risk of removal.

@lgarron
Copy link
Collaborator

lgarron commented Feb 23, 2018

It may be at risk of removal" make it look like there's an error that may cause the domain to be removed from the preload list, but it's actually fine: the error ("Contains preload directive") prevents the removal, so it's not at risk of removal.

The domain is at risk of removal (ignoring #106 in the case of wikipedia.org) – the front page of hstspreload.org clearly states this:

You must make sure your site continues to satisfy the submission requirements at all times. Note that removing the preload directive from your header will make your site immediately eligible for the removal form, and that sites may be removed automatically in the future for failing to keep up the requirements.

However, we could certainly do a better job of making clear that it can't be removed in its current state through the web form.

@lgarron
Copy link
Collaborator

lgarron commented Feb 23, 2018

For what it's worth, I would prefer a fix that clarifies that the domain may automatically be removed in the future, but the current state of the PR looks good to me, too.

@xiaoyinl
Copy link
Contributor Author

The domain is at risk of removal (ignoring #106 in the case of wikipedia.org) – the front page of hstspreload.org clearly states this:

Actually it's not at risk of removal. Wikipedia.org sends Strict-Transport-Security: max-age=106384710; includeSubDomains; preload. This is why I think it's confusing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants