WebKit diverges from the HSTS specification and from other browsers for various (invalid) HSTS headers. 1. A comma is not allowed in the HSTS syntax and > UAs MUST ignore any STS header field containing directives, or other header field value data, that does not conform to the syntax defined in this specification. https://www.rfc-editor.org/rfc/rfc6797#section-6.1 Thus an HSTS header such as `max-age=20, max-age=20; includeSubDomains, includeSubDomains, , max-age=20; includeSubDomains; preload, max-age=0, max-age=-5` should be treated as invalid and have no effect. In WebKit, such a header is interpreted as `max-age=20`. (Firefox states that the header is invalid, Chromium parses the `,` as part of the directive value which also is incorrect but results in not upgrading the resource here) Example URL: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=basic&browser_id=1&label=HSTS&first_id=140&last_id=140&scheme=http&t_resp_id=140&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland 2. Various other invalid headers are interpreted as valid. It seems like WebKit is simply parsing as much as possible and ignores all incorrect things that occur later (both in directive names and values). - `max-age=60"` is not a valid number thus should not parse but works in WebKit: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=32477&last_id=32477&scheme=http&t_resp_id=32477&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland - `max-age=20; includeSubDomains max-age=0 max-age=60` spaces are not allowed in directive names nor values but work in WebKit: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=32964&last_id=32964&scheme=http&t_resp_id=32964&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland - `max-age=300;\u00a0includeSubDomains;\u00a0preload` NBSPs are not allowed but work in WebKit: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=31209&last_id=31209&scheme=http&t_resp_id=31209&t_element_relation=subdomain_subdomain&t_resp_origin=https://sub.headers.websec.saarland - `max-age=20; in"cludeSubDomains` due to `"` the directive name is invalid (not allowed in token) and parsing should fail, however WebKit ignores the invalid directive and applies the valid one: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=32557&last_id=32557&scheme=http&t_resp_id=32557&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland 3. Empty values are not allowed, and should lead to ignoring the header. However, WebKit ignores only the directive. - `max-age=20; includeSubDomains=` interpreted as `max-age=20;` in WebKit: http://sub.headers.websec.saarland/_hp/tests/upgrade-hsts.sub.html?resp_type=parsing&browser_id=1&label=HSTS&first_id=32689&last_id=32689&scheme=http&t_resp_id=32689&t_element_relation=direct_direct&t_resp_origin=https://sub.headers.websec.saarland