Closed Bug 1198397 Opened 9 years ago Closed 9 years ago

We probably don't intercept HSTS upgraded channels performed through CSP upgrade-insecure-requests

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: ehsan.akhgari, Unassigned)

References

Details

Attachments

(1 file)

Add a test for interception of requests upgraded through the CSP upgrade-insecure-requests directive
9.24 KB, patch
jdm
: review+
Details | Diff | Splinter Review
Like bug 1198394, but a bit more fun. :(
Flags: needinfo?(josh)
Blocks: ServiceWorkers-postv1
No longer blocks: ServiceWorkers-v1
Note: the fetch spec says that the insecure request should be upgraded/blocked, and the upgraded request should have the regular interception steps applied to it.
Flags: needinfo?(josh)
This will be fixed in bug 1198394.
Depends on: 1198394
Josh: ping?
Comment on attachment 8673305 [details] [diff] [review] Add a test for interception of requests upgraded through the CSP upgrade-insecure-requests directive Review of attachment 8673305 [details] [diff] [review]: ----------------------------------------------------------------- Sorry, I had this finished yesterday and forgot to submit it. ::: dom/workers/test/serviceworkers/fetch/upgrade-insecure/upgrade-insecure_test.js @@ +1,3 @@ > +self.addEventListener("fetch", function(event) { > + if (event.request.url.indexOf("index.html") >= 0) { > + event.respondWith(fetch("realindex.html")); Let's reject this if we see http://. ::: dom/workers/test/serviceworkers/mochitest.ini @@ +92,5 @@ > + fetch/upgrade-insecure/embedder.html > + fetch/upgrade-insecure/embedder.html^headers^ > + fetch/upgrade-insecure/image.html > + fetch/upgrade-insecure/image-20px.png > + fetch/upgrade-insecure/image-40px.png Looks like both of these are missing.
Attachment #8673305 - Flags: review?(josh) → review+
(In reply to Josh Matthews [:jdm] from comment #5) > ::: dom/workers/test/serviceworkers/mochitest.ini > @@ +92,5 @@ > > + fetch/upgrade-insecure/embedder.html > > + fetch/upgrade-insecure/embedder.html^headers^ > > + fetch/upgrade-insecure/image.html > > + fetch/upgrade-insecure/image-20px.png > > + fetch/upgrade-insecure/image-40px.png > > Looks like both of these are missing. You're being tricked by Splinter. :-)
https://hg.mozilla.org/mozilla-central/rev/831c479eb421
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: