Don't require internal redirects before redirecting to HTTPSΒ #87
Description
The HSTS preload checker currently requires an internal redirect before an external redirect:
In this case, the domain in question (greengov.gov) always redirects immediately to https://www.whitehouse.gov/greengov/, whether it's accessed over HTTP or HTTPS, or at www or the base of the domain.
There is an obvious performance hit, and there are no security benefits I can think of to requiring the domain to internally redirect before externally redirecting, other than causing the client to cache the HSTS policy on the way through the double-redirect. However, since this scan is for the purpose of preloading the domain, this isn't really relevant -- once the domain is preloaded, there will be no security benefit to forcing clients to go through that redirect.
I think it should be sufficient that a domain's HTTP endpoints redirect immediately and consistently to HTTPS throughout the redirect chain this tool measures, whether or not these redirect locations are internal to the requested hostname or not. This would allow "redirect domains" like greengov.gov to maintain their performance properties while achieving the same level of functional security as other domains.