Hello,
After knowing that Chrome 61beta includes support for
Expect-CT header, I tried to implement it to study its behavior. I deliberately sent wrong SCTs from my server, and added Expect-CT header as
max-age=3600, enforce, report-uri="https://mydomain/report".
Upon sending request to my server from Chrome 61beta, I received the report to my domain. However, subsequent connections to my domain didn't fail as expected( since the SCTs were wrong).
Also, in the report i received, the json key effective-expiration-date had the value 1601-01-01T00:00:00.000Z. Does this mean that my domain is never added as Known CT Host, and hence Chrome doesn't show any warning as it is always a First-Visit.
Please clarify upon where I am wrong.
Thanks,
Sanjay