Weighing Options after Undoing HSTS Policy to Exclude SubDomains

We accidentally set up a HSTS policy to include SubDomains but have since removed that option. However, existing users who may have visited our main site would now have that cached and would therefore see a ssl error when they visit any of our subdomains. Unless they revisit our main site again to reload the new policy without the includeSubDomains, they would see that ssl error. (not sure if we need this last part after just reading your post on the other channel? => ) One method we thought about to get around this problem is to use a separate domain name for an initial campaign. Then go back to using our subdomains once we're more certain that the old policy has been replaced with the new one on users' browser caches. However, we know that would have significant tracking implications because of the cookies not carrying over. Does anyone have any other recommendations that don't involve the time and $ of working with Marketo Pro Services (I can't wait 2-3 weeks or spend a ton beyond the budget I had for MA)? We are stuck here!

One thing you didn't quite reveal is why you want to revert the includeSubDomains. Is it because of the expense of setting up with Marketo?  B/c if that's the only reason, and you already have a wildcard or SAN cert that covers your Marketo subdomain, you can steer your traffic through an inexpensive CDN like CloudFront, where there is no setup or maintenance fee (other than renewing your cert, which you're presumably already doing).

Referrers are removed by browsers when the end-user navigates from a secure to an insecure site.  The fact that the the CDN server is communicating with a deeper origin server is totally unknown to the browser.  Every day, your browser connects to systems like this (SSL front end, non-SSL back end) and doesn't know it. The referrer is not affected. The browser only sees SSL.

For click tracking, the referrer is not used, so it wouldn't matter whether it's affected or not (though it's not).