There are some other confusing ones as well.

nature.com is marked as Chinese, as are nginx.org and ntp.org.

example.com is Indian in the list as is the now defunct dmoz.org.

I don't understand the methodology behind the country assignments at all…

Weirdly nature.com seems to actually redirect to https, as does zara.com, lenovo.com, genuis.com, and senate.gov. Is this list stale, or did no one spot-check this?

Yes, senate.gov in particular:

% curl -I senate.gov HTTP/1.1 301 Moved Permanently Server: AkamaiGHost Content-Length: 0 Location: http://www.senate.gov/ Date: Tue, 17 Dec 2019 10:37:04 GMT Connection: keep-alive

% curl -I www.senate.gov HTTP/1.1 301 Moved Permanently Server: Apache Location: https://www.senate.gov/ Content-Length: 231 Content-Type: text/html; charset=iso-8859-1 Date: Tue, 17 Dec 2019 10:37:08 GMT Connection: keep-alive

It seems to meet the requirement for exclusion from the list. Data updated 16 Dec 2019, so I don't think it's stale.

I've also checked from Australian and a European connection, so I don't think it's a regional thing. The other genuis.com doesn't work for me, the other sites redirect and set a cookie.

If you're trying to get senate.gov onto the HSTS preload list, you have to redirect http://senate.gov to https://senate.gov before https://www.senate.gov

Maybe their tester applies the same criteria - although to me that feels a bit unfair...

It takes multiple redirects to reach https for several of those. It may just be looking at the first hop - which makes a certain sort of sense.

Article states they allow multiple 301 or 302 redirects. What is not allowed are JS based redirects. There might also be a limit to the number of redirects followed, but that isn't mentioned in the article.

Same with w3.org, which is fifth on the list, and ebay-kleinanzeigen.de. Seems like quite a few entries are off.

w3.org redirect to www.w3.org, but not HTTPS. This makes sense for the standards org that defines HTTP, and needs to maintain backwards compatibility.

Except the standards org that defines HTTP is the IETF, not the W3C...

Opps! You're right, the W3C only helped author it.

I was also wrong to say that w3.org never redirects to HTTPS. If the browsers sends a Upgrade-Insecure-Requests HTTP-header, then it redirects. That allows it to support all browsers as securely as possible.

Sites like whynohttps.com and observatory.mozilla.org should really test for this pattern.

I noticed it as well. I first thought it was a result of using CDN services or recycled IP addresses, but gnu.org doesn't use a CDN, and its IPv4 and IPv6 are both served by Hurricane Electric, which never did any business in mainland China.

Must be a bug.