http: use the IDN decoded name in HSTS checks

Otherwise it stores the info HSTS into the persistent cache for the IDN
name which will not match when the HSTS status is later checked for
using the decoded name.

Reported-by: Hiroki Kurosawa
Closes #10111

diff --git a/lib/http.c b/lib/http.c
index 85528a2218eeefef60249efe62aff6d861b7dfc1..a784745a8d505208c5463bd65527ae5094c41965 100644 (file)
--- a/lib/http.c
+++ b/lib/http.c
@@ -3646,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
 #endif
             )) {
     CURLcode check =
-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
+      Curl_hsts_parse(data->hsts, conn->host.name,
                       headp + strlen("Strict-Transport-Security:"));
     if(check)
       infof(data, "Illegal STS header skipped");