Closed Bug 1272440 Opened 4 years ago Closed 3 years ago

Reevaluate whether CORS is required after HSTS Priming

Categories

(Core :: DOM: Security, defect)

defect
Not set

Tracking

()

RESOLVED INVALID

People

(Reporter: kmckinley, Assigned: kmckinley)

References

Details

(Whiteboard: [domsecurity-active])

In nsHttpChannel::ContinueConnect, if the HSTS priming result alters the URI, reevaluate whether CORS is required before sending the preflight.
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]
I don't believe CORS needs to be reevaluated as an additional step. Since AsyncOpen2 is required for HSTS priming, and HSTS priming uses nsHttpChannel::HandleAsyncRedirectChannelToHttps, which results in AsyncOpen2 being called on the upgraded URI. AsyncOpen2 will evaluate whether CORS is required on the updated URI, so no additional steps are required.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.