User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 20140314220517 Steps to reproduce: Added resource "passport.yandex.ru" to Chromiums HSTS preload list: https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json couple of months ago. Actual results: Resource still did not appear in Firefoxs HSTS preload list. Expected results: "passport.yandex.ru" listed in Firefox's HSTS preload list.

I just realized there is an error report for your domain in <http://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.errors>, which says > "passport.yandex.ru: did not receive HSTS header" I guess this is because the very first request done to <https://passport.yandex.ru> is a redirect that does not contain a Strict-Transport-Security header. You should be able to fix this on your side by making the redirect include this header. We could also change our list to follow same-domain HTTPS redirects a bit further...

(In reply to Frederik Braun [:freddyb] from comment #1) > We could also change our list to follow same-domain HTTPS redirects a bit > further... That's probably reasonable.

Changed behaviour of the web server. Can you check if it pass the check now?

Running locally, it looks like (at least) these new domains will be on the list when the script runs this Saturday: < { "passport.yandex.by", false }, < { "passport.yandex.com", false }, < { "passport.yandex.com.tr", false }, < { "passport.yandex.kz", false }, < { "passport.yandex.ru", false }, < { "passport.yandex.ua", false }, That said, I still think it's worthwhile doing what :freddyb suggested in comment 1.

Thank you!

(In reply to David Keeler (:keeler) from comment #4) > That said, I still think it's worthwhile doing what :freddyb suggested in > comment 1. Agreed, which is why I'm reopening this bug. Another problem I have is that I want to do includeSubDomains for a specific zone (and all sub-zones), but I have nothing on the zone itself that would send HSTS. Basically, I have foo.blah.example.com, bar.blah.example.com, baz.blah.example.com. I want to just add blah.example.com to HSTS preload list with includeSubDomains, so all those other ones are covered. Chrome allows me to do this (and I have entries in their preload list for this already), but the entries aren't carried over to Firefox, as blah.example.com doesn't actually exist to send HSTS header (just the sub-zones).