Closed
Bug 1198397
Opened 9 years ago
Closed 9 years ago
We probably don't intercept HSTS upgraded channels performed through CSP upgrade-insecure-requests
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: ehsan.akhgari, Unassigned)
References
Details
Attachments
(1 file)
Like bug 1198394, but a bit more fun. :(
Flags: needinfo?(josh)
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Updated•9 years ago
|
Comment 1•9 years ago
|
||
Note: the fetch spec says that the insecure request should be upgraded/blocked, and the upgraded request should have the regular interception steps applied to it.
Flags: needinfo?(josh)
Reporter | ||
Comment 3•9 years ago
|
||
Attachment #8673305 -
Flags: review?(josh)
Reporter | ||
Comment 4•9 years ago
|
||
Josh: ping?
Comment 5•9 years ago
|
||
Comment on attachment 8673305 [details] [diff] [review]
Add a test for interception of requests upgraded through the CSP upgrade-insecure-requests directive
Review of attachment 8673305 [details] [diff] [review]:
-----------------------------------------------------------------
Sorry, I had this finished yesterday and forgot to submit it.
::: dom/workers/test/serviceworkers/fetch/upgrade-insecure/upgrade-insecure_test.js
@@ +1,3 @@
> +self.addEventListener("fetch", function(event) {
> + if (event.request.url.indexOf("index.html") >= 0) {
> + event.respondWith(fetch("realindex.html"));
Let's reject this if we see http://.
::: dom/workers/test/serviceworkers/mochitest.ini
@@ +92,5 @@
> + fetch/upgrade-insecure/embedder.html
> + fetch/upgrade-insecure/embedder.html^headers^
> + fetch/upgrade-insecure/image.html
> + fetch/upgrade-insecure/image-20px.png
> + fetch/upgrade-insecure/image-40px.png
Looks like both of these are missing.
Attachment #8673305 -
Flags: review?(josh) → review+
Reporter | ||
Comment 6•9 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #5)
> ::: dom/workers/test/serviceworkers/mochitest.ini
> @@ +92,5 @@
> > + fetch/upgrade-insecure/embedder.html
> > + fetch/upgrade-insecure/embedder.html^headers^
> > + fetch/upgrade-insecure/image.html
> > + fetch/upgrade-insecure/image-20px.png
> > + fetch/upgrade-insecure/image-40px.png
>
> Looks like both of these are missing.
You're being tricked by Splinter. :-)
Comment 8•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Comment 9•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•