[Dupe] of https://news.ycombinator.com/item?id=37500895

I got this too until I disabled my adblocker, then it worked fine.

Silly me... I forgot this is Google we're talking about. Thanks.

In 2011 a small amount (0.02%) of Gmail users had all their emails deleted due to a bug: https://gmail.googleblog.com/2011/02/gmail-back-soon-for-eve... They ended up having to restore them from tape backup, which took several days. Affected users also had all their incoming mail bounce for 20 hours.

Weirdly nature.com seems to actually redirect to https, as does zara.com, lenovo.com, genuis.com, and senate.gov. Is this list stale, or did no one spot-check this?

Yes, senate.gov in particular:

% curl -I senate.gov HTTP/1.1 301 Moved Permanently Server: AkamaiGHost Content-Length: 0 Location: http://www.senate.gov/ Date: Tue, 17 Dec 2019 10:37:04 GMT Connection: keep-alive

% curl -I www.senate.gov HTTP/1.1 301 Moved Permanently Server: Apache Location: https://www.senate.gov/ Content-Length: 231 Content-Type: text/html; charset=iso-8859-1 Date: Tue, 17 Dec 2019 10:37:08 GMT Connection: keep-alive

It seems to meet the requirement for exclusion from the list. Data updated 16 Dec 2019, so I don't think it's stale.

I've also checked from Australian and a European connection, so I don't think it's a regional thing. The other genuis.com doesn't work for me, the other sites redirect and set a cookie.

If you're trying to get senate.gov onto the HSTS preload list, you have to redirect http://senate.gov to https://senate.gov before https://www.senate.gov

Maybe their tester applies the same criteria - although to me that feels a bit unfair...

It takes multiple redirects to reach https for several of those. It may just be looking at the first hop - which makes a certain sort of sense.

Article states they allow multiple 301 or 302 redirects. What is not allowed are JS based redirects. There might also be a limit to the number of redirects followed, but that isn't mentioned in the article.

Same with w3.org, which is fifth on the list, and ebay-kleinanzeigen.de. Seems like quite a few entries are off.

w3.org redirect to www.w3.org, but not HTTPS. This makes sense for the standards org that defines HTTP, and needs to maintain backwards compatibility.

Except the standards org that defines HTTP is the IETF, not the W3C...

Opps! You're right, the W3C only helped author it.

I was also wrong to say that w3.org never redirects to HTTPS. If the browsers sends a Upgrade-Insecure-Requests HTTP-header, then it redirects. That allows it to support all browsers as securely as possible.

Sites like whynohttps.com and observatory.mozilla.org should really test for this pattern.

Python, in particular flask: http://flask.pocoo.org/

This is because whois just searches for domains that start with the given argument by default. Try google.com, same result. What you actually want is `whois "domain apple.com"`.

A better example is Netflix, which features movies that are rated NC-17.

If Apple bought Nest they would have killed the Android app.

When I just tried disabling it, the images that were displayed after I clicked 'Display Images Below' all still went through the proxy.