Trying to preload a site that uses Netlify for its base domain with www by default fails.
The redirects netlify uses are:
This is an issue as the browser never visits http://example.com, the correct redirects would be:
The HSTS spec says:
If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s).
So sending the headers with request O1 would do nothing.
The header could be sent on request O2, but www.example.com is a subdomain, and if you try to submit that as the preloaded site you get this:
Error: Subdomain
www.example.com
is a subdomain. Please preloadexample.com
instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)
The other issue is that the includeSubDomains would be given for www.example.com, so only subdomains of www.example.com would be covered, rather than subdomains of example.com, which would stop browsers that do not have the site preloaded from finding the header and setting HSTS for the whole domain.
At the moment there is an issue open on Netlify's internal tracker for this.
As a temporary workaround you can use a service like Cloudflare to split the redirects, but once the issue is fixed this will not be necessary.