Closed Bug 1334074 Opened 3 years ago Closed 3 years ago
HSTS priming violates HTTP standard for non-standard ports
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161208153507 Steps to reproduce: Firefox 51 is broken for sites that load any content from non-standard ports if HSTS priming is attempted. Loading any page that refers to such content will cause long delays if the server doesn't detect the malformed request early and terminates the connection. Firefox flagrantly violates RFC 2616/7230 with this behavior, which states: An implementation is considered conformant if it complies with all of the requirements associated with the roles it partakes in HTTP. Conformance includes both the syntax and semantics of protocol elements. A sender MUST NOT generate protocol elements that convey a meaning that is known by that sender to be false. A sender MUST NOT generate protocol elements that do not match the grammar defined by the corresponding ABNF rules. Within a given message, a sender MUST NOT generate protocol elements or syntax alternatives that are only allowed to be generated by participants in other roles (i.e., a role that the sender does not have for that message). Actual results: Firefox attempts to send a TLS request to the plaintext HTTP socket, which the server does not understand, making the connection stall until it times out. The followup request is delayed until this timeout occurs. Expected results: Firefox should only send a conformant plaintext request to a HTTP socket, as per the HTTP standard.
Severity: blocker → normal
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
[Tracking Requested - why for this release]: Regression I can confirm this.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → All
Jason, who can we assign to this bug?
3 years ago
Has Regression Range: --- → yes
Has STR: --- → yes
This is a duplicate of 1328460.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Resolution: FIXED → DUPLICATE
Duplicate of bug: 1328460
cleaning + dropping ni
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.