Closed Bug 1246537 Opened 4 years ago Closed 2 years ago

[META] HSTS priming

Categories

(Core :: DOM: Security, defect)

defect
Not set

Tracking

()

RESOLVED WONTFIX

People

(Reporter: kmckinley, Assigned: kmckinley)

References

(Depends on 2 open bugs)

Details

(Keywords: dev-doc-needed, meta, Whiteboard: [domsecurity-meta] [hsts-priming])

Mixed-content blocking may prevent some sites from moving from HTTP to HTTPS. In order to help sites opportunistically move to HTTPS, we introduce the concept of HSTS Priming.

In the case where the browser is on a secure page and would attempt to load an a-priori non-secure URI, the browser will send a priming request via HTTPS to the host. If successful, and the response contains the Strict-Transport header, the contents of that header will be cached and the load will proceed with the secure origin.

This will eventually require changes to several specs, notably FETCH, MIXED-CONTENT, and HSTS.

References:
https://mikewest.github.io/hsts-priming/
http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html
Depends on: 1246540
How do we expect this to work with service worker interception?  Should the priming request bypass the service worker or be interceptable via the fetch event?
Blocks: 838395
Keywords: meta
Whiteboard: [domsecurity-meta]
Duplicate of this bug: 983485
(In reply to Ben Kelly [:bkelly] from comment #1)
> How do we expect this to work with service worker interception?  Should the
> priming request bypass the service worker or be interceptable via the fetch
> event?

That's a good question.  Shouldn't we just generally treat SW-intercepted requests as if they're secure?  After all, they didn't even leave the browser.  Probably a good question for the Secure Contexts spec.
Depends on: 1269814
Depends on: 1269815
Depends on: 1269850
Depends on: 1272440
Depends on: 1275402
Status: NEW → ASSIGNED
Depends on: 1313595
Depends on: 1313596
Depends on: 1313597
Whiteboard: [domsecurity-meta] → [domsecurity-meta] [hsts-priming]
Depends on: 1328460
Depends on: 1359987
Depends on: 1365432
No longer blocks: 838395
Depends on: 838395
HSTS Priming was removed from the codebase within Bug 1424917 which renders this META bug as WONTFIX.
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.