bmoattachments.org should set a strict-transport-security header

REOPENED
Unassigned

Status

()

bugzilla.mozilla.org
General
REOPENED
2 years ago
4 months ago

People

(Reporter: glob, Unassigned)

Tracking

(Blocks: 1 bug)

Production
Dependency tree / graph

Details

(Reporter)

Description

2 years ago
bmoattachments.org doesn't set the strict-transport-security.

STS was disabled on the attachment subdomains as a result of bug 607138; there's talk there about this being problematic for sites that host attachments on different domains (which we recently started doing), but it looks like a followup bug was never filed.

i suspect we can't do this without includeSubDomains, and as a result generating at least one entry in the permissions db for each visited attachment, because users never visit bmoattachments.org directly.

reed - i'm curious about your thoughts here.
Flags: needinfo?(reed)
Sorry for the delay. Busy week, so just catching up on other stuff.

First of all, I've submitted a request to the Chromium folks to add bmoattachments.org to the HSTS preload list.

Sending HSTS for every subdomain is likely to generate lots of entries for folks who open lots of attachments, to be fair, though I also think a bug should be filed to see if something in the spec could be done to improve that (rare but possible) situation.

For now, let's workaround it using a hack that Dropbox came up with.

1. Configure bmoattachments.org to send a valid HSTS header that includes includeSubDomains with a long max-age.
2. On all bmo pages, include a <img> similar to <img src="https://dropbox.com/hstsping" style="display:none;" /> that will cause the browser to load https://bmoattachments.org and see the HSTS header.

Besides that, we can also (optionally) send HSTS header for *.bmoattachments.org with a low max-age (so entries expire quickly off the list) as an extra protection against short-term attacks (iif the browser doesn't have bmoattachments.org HSTS preloaded and never visited https://bmoattachments.org to see the HSTS header).
Flags: needinfo?(reed)
(Reporter)

Updated

2 years ago
Depends on: 1238523
(Reporter)

Comment 2

2 years ago
awesome; thanks again reed.

i've filed bug 1238523 to get the infra side of bmoattachments.org working.
we'll track adding the <img> to our footer here once that works, as well as the short-lived sts header.

Comment 3

2 years ago
Reed, that sounds like the perfect plan. Couldn't have crafted it better myself.  :)

Updated

2 years ago
Blocks: 1246672

Comment 4

2 years ago
Thanks to everyone for all their hard work on this!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 5

2 years ago
Oh whoops, I just realized that we haven't yet set HSTS on the subdomains.  My bad; reopening!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 6

2 years ago
So I think we still need to implement:

1) the invisible image to pull from https://bmoattachments.org/ to set HSTS for browsers that don't have bmoattachments in the preload list
2) (optionally) set a short HSTS length on the subdomain

BTW, I did take a look and we're in the preload list, so that's great!

https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json#5836
Being in chrome's list is no guarantee: we run our own checks and reject a bunch (see the .errors file). In this case, however, we do seem to have it in Firefox:
https://dxr.mozilla.org/mozilla-central/rev/af7c0cb0798f5425d5d344cbaf0ac0ecb1a72a86/security/manager/ssl/nsSTSPreloadList.inc#815
Duplicate of this bug: 1434675
You need to log in before you can comment on or make changes to this bug.