Fix wrong error message on Removal page

[xiaoyinl]

The "Status" message on https://hstspreload.org/removal/ page is confusing, e.g. "Status: wikipedia.org is currently preloaded, but no longer meets the requirements. It may be at risk of removal."

This message is clearly for the preload page rather than the removal page.

[xiaoyinl]

@ericlaw1979 Could you please review?

[ericlaw1979]

It seems like the error message should only potentially omit "It may be at risk of removal." in this scenario, but showing the other status seems fine?

[xiaoyinl]

@ericlaw1979 I think just showing "Status: xxx is currently preloaded" is fine. The code mistakenly treats the error of removal as error of preloading. "But has the following issues" and "but no longer meets the requirements. It may be at risk of removal" make it look like there's an error that may cause the domain to be removed from the preload list, but it's actually fine: the error ("Contains preload directive") prevents the removal, so it's not at risk of removal.

[lgarron]

It may be at risk of removal" make it look like there's an error that may cause the domain to be removed from the preload list, but it's actually fine: the error ("Contains preload directive") prevents the removal, so it's not at risk of removal.

The domain is at risk of removal (ignoring #106 in the case of wikipedia.org) – the front page of hstspreload.org clearly states this:

You must make sure your site continues to satisfy the submission requirements at all times. Note that removing the preload directive from your header will make your site immediately eligible for the removal form, and that sites may be removed automatically in the future for failing to keep up the requirements.

However, we could certainly do a better job of making clear that it can't be removed in its current state through the web form.

[lgarron]

For what it's worth, I would prefer a fix that clarifies that the domain may automatically be removed in the future, but the current state of the PR looks good to me, too.

[xiaoyinl]

The domain is at risk of removal (ignoring #106 in the case of wikipedia.org) – the front page of hstspreload.org clearly states this:

Actually it's not at risk of removal. Wikipedia.org sends Strict-Transport-Security: max-age=106384710; includeSubDomains; preload. This is why I think it's confusing.

[cristianlivella]

Wow, it's been 8 years, and this still hasn't been merged?
I just ran into the same problem, and the error message is very misleading.

@lgarron the domain is not not at risk of removal. In fact, it's exactly the opposite.

The problem is that form.js is using the same logic for both the submission form and the removal form.
If the backend returns an "errors" message, this phrase is displayed:

[domain] is currently preloaded, but no longer meets the requirements. It may be at risk of removal.

This is correct if we are using the submission form, but if we are using the removal form, it is completely wrong, because in that case the endpoint returns an "errors" message when it is not possible to request domain removal, since HSTS is properly enabled in the header.

edit: added API response

{
  "errors": [
    {
      "code": "header.removable.contains.preload",
      "summary": "Contains preload directive",
      "message": "Header requirement error: For preload list removal, the header must not contain the `preload` directive."
    }
  ],
  "warnings": []
}

[lgarron]

Wow, it's been 8 years, and this still hasn't been merged?

That's mostly up to the maintainers with merge access, primarily @nharper.