Closed
Bug 1335626
Opened 7 years ago
Closed 7 years ago
Add upgrade-insecure-requests to CSP
Categories
(Developer Services :: Mercurial: hg.mozilla.org, defect)
Developer Services
Mercurial: hg.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gps, Assigned: gps)
References
Details
Attachments
(1 file)
Ehsan suggested via email that we add upgrade-insecure-requests to the Content-Security-Policy header so requests to http:// URLs are automagically converted to https://. Sounds like a good idea!
|
||
Comment 1•7 years ago
|
||
One reason that I meant to mention in the thread is that there's tons of existing HTTP links to hg.mozilla.org in Bugzilla and elsewhere and without this browsers would hit a redirect every time they click on a link since they'll all be pretty much unique.
|
||
Comment 2•7 years ago
|
||
Sure, that's a fine idea. I will say that HSTS generally already does that -- if you had visited hg.mozilla.org over HTTPS and received the HSTS header, even if the link was http://hg.mozilla.org/foo/bar, it will still go directly to https://hg.mozilla.org/foo/bar. upgrade-insecure-requests is still a fine idea and worth pursuing, but it's more generally useful for loading resources or linking to domains that you don't have control over or can't enable HSTS on.
| Comment hidden (mozreview-request) |
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → gps
Status: NEW → ASSIGNED
|
|
||
Comment 4•7 years ago
|
||
r+, but I would recommend moving upgrade-insecure-requests to the end, as alphabetical order makes things a bit easier to read. :)
|
|
||
Comment 5•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8832479 [details] ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626); https://reviewboard.mozilla.org/r/108742/#review111060 Looks good, but I would probably put upgrade-insecure-requests at the end for legibility.
|
|
||
Comment 6•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8832479 [details] ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626); https://reviewboard.mozilla.org/r/108744/#review111630 Not sure why this didn't get submitted. Looks good, the only change I would say is to put upgrade-insecure-requests last, because it's easier to read in alphabetical order.
Attachment #8832479 -
Flags: review?(april) → review+
| Comment hidden (mozreview-request) |
Pushed by gszorc@mozilla.com: https://hg.mozilla.org/hgcustom/version-control-tools/rev/22c90c1965dc ansible/hg-web: add "upgrade-insecure-requests" to CSP policy ; r=April
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 9•7 years ago
|
||
I rebased this and landed it. Deploying now.
You need to log in
before you can comment on or make changes to this bug.
Description
•