HSTS and access to subdomain with Javascript

Question

Some weeks ago I have moved a homepage to https only and also enabled HSTS. On one page I have some JavaScript code that got its content from a subdomain via a http-request. Before https was enabled this worked well. I also changed the http protocol to https in the javascript code. But this was not a solution.

Does HTTPS restrict access to a subdomain or is it HSTS?

Is there a way to allow access to subdomains?

Here ist the JavaScript-Code:

<script type="text/javascript" src="/jquery-1.11.0.min.js"></script>
<script>
$("#ipv4").show().load('https://ipv4.mydomain.com/myip/'
, {limit: 25}, 
  function (responseText, textStatus, req) {
    if (textStatus == "error") {
      $("#ipv4").html("Kein IPv4");
    }
  }
);
$("#ipv6").show().load('https://ipv6.mydomain.com/myip/'
, {limit: 25}, 
  function (responseText, textStatus, req) {
    if (textStatus == "error") {
      $("#ipv6").html("Kein IPv6");
    }
  }
);
</script>

And this is the HSTS-Header:

Strict-Transport-Security: max-age=31556926; includeSubDomains; preload

I have added the HSTS-header in my post, and also the subdomains have valid certificates. — Teddy, Jan 15 '16 at 20:55
so hsts apply to your subdomains. What do ssllabs says about them? — Tom, Jan 15 '16 at 21:29

score 0 · Answer 1 · answered Jan 13 '16 at 16:53

0

The only effect of HSTS is to rewrite http request to https before sending them.

Thus, your subdomain must answer to https request to works.

answered Jan 13 '16 at 16:53

Tom

4,666
2
29
48

HSTS and access to subdomain with Javascript

1 Answers1