

Canonical Redirect Pitfalls with HTTP Strict Transport Security (2010) - diafygi
https://coderrr.wordpress.com/2010/12/27/canonical-redirect-pitfalls-with-http-strict-transport-security-and-some-solutions/

======
jusob
It looks like all the problems raised would be solved by using the option
includeSubDomains in the HSTS header on paypal.com

