Note that adding your site to the HSTS whitelist in Chrome (from which Firefox, Safari, and Edge will follow) is very easy:

https://hstspreload.appspot.com/

Thank you for that. I was quite clueless on how this list was put together.

Better title: "The Chromium Built-In HSTS Whitelist".

Search for "noisebridge", which is right around where all the small sites start.

IMO the HSTS list should have a description field.

So all applications to the HSTS preloaded list are hardcoded in that json.

How big will that file get in a few years? Looks like the first addition of user submitted websites was done over a year ago.

I wonder how ubiquitous HTTP/2 (TLS mandatory) will affect this.

TLS is not strictly mandatory in HTTP/2 (see h2c) but even if it was this list solves another problem - when user types e.g. Google.com in their browser the initial connection is made via HTTP. Preload list says "if this domain is typed in address bar go straight to HTTPS, if that's not possible stop the connection".

I couldn't find a single mainstream media website in this list. Only the Washington Post and RT are accessible through HTTPS, but no HSTS headers are provided.

edit: removed acronym

I don't know what MSM is.

But if they are a group doing media and content websites, HSTS and full SSL are still hard to accomplish due to the advertising industry dragging it's collective feet and knuckles.

Then the attacker could just block the update servers.