|
|
|
|
|
|
by aaronmdjones
620 days ago
|
|
|
HSTS won't prevent this at all; the advertiser merely needs to also set up TLS by getting a certificate for that subdomain, which they can already do precisely because it goes to their web server -- not yours. This also lets them steal cookies marked secure (sent over HTTPS only). Edit: A combination of DNS CAA with an account identifier restriction in the record would prevent this. Then the advertiser would complain, and any ads served would have to be over plaintext, which would cause browser warnings about mixed content and allow MITM injection of (more) malicious content. |
|
|