Closed Bug 1272440 Opened 8 years ago Closed 8 years ago

Reevaluate whether CORS is required after HSTS Priming

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: kmckinley, Assigned: kmckinley)

References

Details

(Whiteboard: [domsecurity-active])

Kate McKinley [:kmckinley, :Kate]

Assignee

Description

•

8 years ago

In nsHttpChannel::ContinueConnect, if the HSTS priming result alters the URI, reevaluate whether CORS is required before sending the preflight.

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Status: NEW → ASSIGNED

Whiteboard: [domsecurity-active]

Kate McKinley [:kmckinley, :Kate]

Assignee

Comment 1

•

8 years ago

I don't believe CORS needs to be reevaluated as an additional step. Since AsyncOpen2 is required for HSTS priming, and HSTS priming uses nsHttpChannel::HandleAsyncRedirectChannelToHttps, which results in AsyncOpen2 being called on the upgraded URI. AsyncOpen2 will evaluate whether CORS is required on the updated URI, so no additional steps are required.

Status: ASSIGNED → RESOLVED

Closed: 8 years ago

Resolution: --- → INVALID

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Reevaluate whether CORS is required after HSTS Priming

Categories

(Core :: DOM: Security, defect)

Tracking

()

People

(Reporter: kmckinley, Assigned: kmckinley)

References

Details

(Whiteboard: [domsecurity-active])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1