[C4K3]

What about websites that are on second-level domains? E.g. amazon.co.uk

Would example.amazon.co.uk then not be able to set HSTS for amazon.co.uk?

[osteele]

example.amazon.co.uk and amazon.co.uk are not matching domains as defined in the RFC[1] (they are not congruent).

The includeSubDomains directive[2] allows the HSTS policy set for amazon.co.uk to apply to its subdomain example.amazon.co.uk, but not vice versa.

[1] https://tools.ietf.org/html/rfc6797#section-8.2

[2] https://tools.ietf.org/html/rfc6797#page-16

[gsnedders]

Yes, using pubsuffix+1 instead of TLD+1 would make way more sense.

I've asked here: https://twitter.com/gsnedders/status/974765437283119104

[gsnedders]

Per the response it is using pubsuffix+1, and hence co.uk is treated as an effective TLD.

[ademarre]

The public suffix is more correct than the TLD; however the fact that publicsuffix.org accepts private domains at the domain owners request weakens the mitigation.