Closed
Bug 1335626
Opened 7 years ago
Closed 7 years ago
Add upgrade-insecure-requests to CSP
Categories
(Developer Services :: Mercurial: hg.mozilla.org, defect)
Developer Services
Mercurial: hg.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gps, Assigned: gps)
References
Details
Attachments
(1 file)
Ehsan suggested via email that we add upgrade-insecure-requests to the Content-Security-Policy header so requests to http:// URLs are automagically converted to https://. Sounds like a good idea!
Comment 1•7 years ago
|
||
One reason that I meant to mention in the thread is that there's tons of existing HTTP links to hg.mozilla.org in Bugzilla and elsewhere and without this browsers would hit a redirect every time they click on a link since they'll all be pretty much unique.
Comment 2•7 years ago
|
||
Sure, that's a fine idea. I will say that HSTS generally already does that -- if you had visited hg.mozilla.org over HTTPS and received the HSTS header, even if the link was http://hg.mozilla.org/foo/bar, it will still go directly to https://hg.mozilla.org/foo/bar. upgrade-insecure-requests is still a fine idea and worth pursuing, but it's more generally useful for loading resources or linking to domains that you don't have control over or can't enable HSTS on.
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → gps
Status: NEW → ASSIGNED
Comment 4•7 years ago
|
||
r+, but I would recommend moving upgrade-insecure-requests to the end, as alphabetical order makes things a bit easier to read. :)
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8832479 [details] ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626); https://reviewboard.mozilla.org/r/108742/#review111060 Looks good, but I would probably put upgrade-insecure-requests at the end for legibility.
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8832479 [details] ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626); https://reviewboard.mozilla.org/r/108744/#review111630 Not sure why this didn't get submitted. Looks good, the only change I would say is to put upgrade-insecure-requests last, because it's easier to read in alphabetical order.
Attachment #8832479 -
Flags: review?(april) → review+
Comment hidden (mozreview-request) |
Pushed by gszorc@mozilla.com: https://hg.mozilla.org/hgcustom/version-control-tools/rev/22c90c1965dc ansible/hg-web: add "upgrade-insecure-requests" to CSP policy ; r=April
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•7 years ago
|
||
I rebased this and landed it. Deploying now.
You need to log in
before you can comment on or make changes to this bug.
Description
•