Closed Bug 1310807 Opened 9 years ago Closed 9 years ago

Consider enabling HSTS on air.mozilla.org

Categories

(Webtools Graveyard :: Air Mozilla, defect)

Product:
Webtools Graveyard
Component:
Air Mozilla
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: peterbe)

Details

Attachments

(2 files)

Link to Github pull-request: https://github.com/mozilla/airmozilla/pull/770
46 bytes, text/x-github-pull-request
Details | Review
Link to Github pull-request: https://github.com/mozilla/airmozilla/pull/774
46 bytes, text/x-github-pull-request
Details | Review
We prefer, based on the Web Security Guidelines, that all http://air.mozilla.org requests should be upgraded to https://air.mozilla.org transparently, whether linked by the user, or in <a href or <object src or <img src. If you can say with certainty that *all* http:// traffic to the domain 'air.mozilla.org' should be upgraded to https://, then please activate a new header: Strict-Transport-Security: max-age=600 And then once your testing confirms that the site is working correctly, raise that 600 (seconds == 10 minutes) occasionally until you reach the Mozilla goal of 31536000 (seconds == 1 year). (If you cannot say that with certainty, then please reach out to April or I and review your situation; Mozilla has a long-term intention of HSTS'ing *all* websites, and browsers have started removing feature support from http:// endpoints.)
Richard, Can you think of any weird corner cases where you'd need to talk to air.mozilla.org over HTTP (as opposed to HTTPS)? This bug is about setting a header in browsers that tells the browser to never bother with http:// traffic. I know we used to need HTTP in roku but that went away in recent months.
Flags: needinfo?(richard)
Component: air.mozilla.com → Air Mozilla
Product: Websites → Webtools
Version: unspecified → other
Note-to-self; the above mentioned PR enables this new header but it sets the timeout to a really small number (10 minutes). Unless we can think of a single reason to allow http:// traffic, make another PR that sets that number to 1 year and *then* close this bug.
As long as you leave the 10 minutes HSTS in place for at least one MoCo meeting, I think then it'd be fine to bump to a year.
I can't image an instance where http access would be useful. All of the video content is https. As long as we're redirecting initial http sessions to the https site, I think we're good. Richard - What is the MoCo meeting issue you're worried about?
Flags: needinfo?(richard) → needinfo?(rsoderberg)
Will this inhibit embedding an AirMo video on an http site?
Flags: needinfo?(peterbe)
I'm just worried about crazy interactions between, somehow, airmo site and airmo events. As long as this is in place for at least one event on airmo with a bunch of people involved, my paranoia is satisfied (and it's only a recommendation, proceed at will) It will not inhibit embedding AirMo videos on http sites, but keep in mind that the browers themselves may actually start prohibiting that sort of activity over time - so if something breaks some long future day, it's not this :)
Flags: needinfo?(rsoderberg)
(In reply to Richard A Milewski[:richard] from comment #7) > Will this inhibit embedding an AirMo video on an http site? Yeah, what atoll said. It will not. This header is just about telling the browser to accidentally go to the http:// version of the site if you've gone to the https:// version. I'm not a security expert but one possible attack angle is if a hacker puts in an cross script trick to someone trick your browser to click on an http:// link within the site, then the browser freaks out and refuses to do so. Like managing to convince the President to ride in the Cadillac without armor and xhe doesn't notice because the Cadillac looks like the usual one, but xher secret service steps in and refuses the ride.
Flags: needinfo?(peterbe)
Commit pushed to master at https://github.com/mozilla/airmozilla https://github.com/mozilla/airmozilla/commit/1ad2bdf6d11d94b34b77667a9d0030b261434bac fixes bug 1310807 - maximize the HSTS header (#774)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: