Closed Bug 1335626 Opened 9 years ago Closed 8 years ago

Add upgrade-insecure-requests to CSP

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: gps)

References

Details

Attachments

(1 file)

ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626);
59 bytes, text/x-review-board-request
April
: review+
Details
Ehsan suggested via email that we add upgrade-insecure-requests to the Content-Security-Policy header so requests to http:// URLs are automagically converted to https://. Sounds like a good idea!
One reason that I meant to mention in the thread is that there's tons of existing HTTP links to hg.mozilla.org in Bugzilla and elsewhere and without this browsers would hit a redirect every time they click on a link since they'll all be pretty much unique.
Sure, that's a fine idea. I will say that HSTS generally already does that -- if you had visited hg.mozilla.org over HTTPS and received the HSTS header, even if the link was http://hg.mozilla.org/foo/bar, it will still go directly to https://hg.mozilla.org/foo/bar. upgrade-insecure-requests is still a fine idea and worth pursuing, but it's more generally useful for loading resources or linking to domains that you don't have control over or can't enable HSTS on.
Assignee: nobody → gps
Status: NEW → ASSIGNED
r+, but I would recommend moving upgrade-insecure-requests to the end, as alphabetical order makes things a bit easier to read. :)
Comment on attachment 8832479 [details] ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626); https://reviewboard.mozilla.org/r/108742/#review111060 Looks good, but I would probably put upgrade-insecure-requests at the end for legibility.
Comment on attachment 8832479 [details] ansible/hg-web: add "upgrade-insecure-requests" to CSP policy (bug 1335626); https://reviewboard.mozilla.org/r/108744/#review111630 Not sure why this didn't get submitted. Looks good, the only change I would say is to put upgrade-insecure-requests last, because it's easier to read in alphabetical order.
Attachment #8832479 - Flags: review?(april) → review+
Pushed by gszorc@mozilla.com: https://hg.mozilla.org/hgcustom/version-control-tools/rev/22c90c1965dc ansible/hg-web: add "upgrade-insecure-requests" to CSP policy ; r=April
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
I rebased this and landed it. Deploying now.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: