Closed Bug 1198397 Opened 5 years ago Closed 4 years ago

We probably don't intercept HSTS upgraded channels performed through CSP upgrade-insecure-requests

Categories

(Core :: Networking, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox44 --- fixed

People

(Reporter: ehsan, Unassigned)

References

Details

Attachments

(1 file)

Like bug 1198394, but a bit more fun.  :(
Flags: needinfo?(josh)
Blocks: ServiceWorkers-postv1
No longer blocks: ServiceWorkers-v1
Note: the fetch spec says that the insecure request should be upgraded/blocked, and the upgraded request should have the regular interception steps applied to it.
Flags: needinfo?(josh)
This will be fixed in bug 1198394.
Depends on: 1198394
Josh: ping?
Comment on attachment 8673305 [details] [diff] [review]
Add a test for interception of requests upgraded through the CSP upgrade-insecure-requests directive

Review of attachment 8673305 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, I had this finished yesterday and forgot to submit it.

::: dom/workers/test/serviceworkers/fetch/upgrade-insecure/upgrade-insecure_test.js
@@ +1,3 @@
> +self.addEventListener("fetch", function(event) {
> +  if (event.request.url.indexOf("index.html") >= 0) {
> +    event.respondWith(fetch("realindex.html"));

Let's reject this if we see http://.

::: dom/workers/test/serviceworkers/mochitest.ini
@@ +92,5 @@
> +  fetch/upgrade-insecure/embedder.html
> +  fetch/upgrade-insecure/embedder.html^headers^
> +  fetch/upgrade-insecure/image.html
> +  fetch/upgrade-insecure/image-20px.png
> +  fetch/upgrade-insecure/image-40px.png

Looks like both of these are missing.
Attachment #8673305 - Flags: review?(josh) → review+
(In reply to Josh Matthews [:jdm] from comment #5)
> ::: dom/workers/test/serviceworkers/mochitest.ini
> @@ +92,5 @@
> > +  fetch/upgrade-insecure/embedder.html
> > +  fetch/upgrade-insecure/embedder.html^headers^
> > +  fetch/upgrade-insecure/image.html
> > +  fetch/upgrade-insecure/image-20px.png
> > +  fetch/upgrade-insecure/image-40px.png
> 
> Looks like both of these are missing.

You're being tricked by Splinter.  :-)
https://hg.mozilla.org/mozilla-central/rev/831c479eb421
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.