should set a strict-transport-security header



2 years ago
4 months ago


(Reporter: glob, Unassigned)


(Blocks: 1 bug)

Dependency tree / graph




2 years ago doesn't set the strict-transport-security.

STS was disabled on the attachment subdomains as a result of bug 607138; there's talk there about this being problematic for sites that host attachments on different domains (which we recently started doing), but it looks like a followup bug was never filed.

i suspect we can't do this without includeSubDomains, and as a result generating at least one entry in the permissions db for each visited attachment, because users never visit directly.

reed - i'm curious about your thoughts here.
Flags: needinfo?(reed)
Sorry for the delay. Busy week, so just catching up on other stuff.

First of all, I've submitted a request to the Chromium folks to add to the HSTS preload list.

Sending HSTS for every subdomain is likely to generate lots of entries for folks who open lots of attachments, to be fair, though I also think a bug should be filed to see if something in the spec could be done to improve that (rare but possible) situation.

For now, let's workaround it using a hack that Dropbox came up with.

1. Configure to send a valid HSTS header that includes includeSubDomains with a long max-age.
2. On all bmo pages, include a <img> similar to <img src="" style="display:none;" /> that will cause the browser to load and see the HSTS header.

Besides that, we can also (optionally) send HSTS header for * with a low max-age (so entries expire quickly off the list) as an extra protection against short-term attacks (iif the browser doesn't have HSTS preloaded and never visited to see the HSTS header).
Flags: needinfo?(reed)


2 years ago
Depends on: 1238523

Comment 2

2 years ago
awesome; thanks again reed.

i've filed bug 1238523 to get the infra side of working.
we'll track adding the <img> to our footer here once that works, as well as the short-lived sts header.

Comment 3

2 years ago
Reed, that sounds like the perfect plan. Couldn't have crafted it better myself.  :)


2 years ago
Blocks: 1246672

Comment 4

2 years ago
Thanks to everyone for all their hard work on this!
Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 5

2 years ago
Oh whoops, I just realized that we haven't yet set HSTS on the subdomains.  My bad; reopening!
Resolution: FIXED → ---

Comment 6

2 years ago
So I think we still need to implement:

1) the invisible image to pull from to set HSTS for browsers that don't have bmoattachments in the preload list
2) (optionally) set a short HSTS length on the subdomain

BTW, I did take a look and we're in the preload list, so that's great!
Being in chrome's list is no guarantee: we run our own checks and reject a bunch (see the .errors file). In this case, however, we do seem to have it in Firefox:
Duplicate of this bug: 1434675
You need to log in before you can comment on or make changes to this bug.