Hacker News new | past | comments | ask | show | jobs | submit login

> if I had an app on the ".app" TLD I can now stop listening on port 80 altogether without as much worry that I'm breaking stuff.

Except the part where the `.app` domain is only "https-only" in Chrome.

It's not just Chrome.

Chrome maintains the list that most browsers use, but it's not the only browser using the list.

Firefox, Opera, Safari, IE 11, Edge, and others are all using HSTS-Preload lists based off Chromium's.

You can see for yourself that Firefox is preloading the `app` TLD in it's preload list at [0], and Opera is using the Blink engine, so it's using Chromium's list directly.

As for the other browsers, sadly they aren't open sourced so you can't see their exact list that they use, but seeing as they base their list off Chromium's, I'd wager that they will include this TLD in their lists as well soon enough. They both already include other TLDs which are in the HSTS preload list (like .bank, .google, and .foo).

[0] https://github.com/mozilla/gecko-dev/blob/master/security/ma...

This is more about expectations though. The idea is that you shouldn't make a request over HTTP to a .app website and expect it to succeed.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact