Able to bypass HSTS using trailing dot

## Summary: curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. ## Affected version curl version used for reproducing this issue is: 8.16.0 ``` curl --version ``` ``` curl 8.16.0 (Windows) libcurl/8.16.0 Schannel zlib/1.3.1 WinIDN Release-Date: 2025-09-10 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s smb smbs smtp smtps telnet tftp ws wss Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets ``` ## Steps To Reproduce: 1. Use the below curl command: ``` curl --hsts hsts.txt http://accounts.google.com. ``` 2. Observe the below response: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://accounts.google.com/">here</A>. </BODY></HTML> ## Reference Report: https://hackerone.com/reports/1557449 ## Impact HSTS is bypassed.