Closed
Bug 1373582
Opened 7 years ago
Closed 7 years ago
Firefox applies HSTS to ftp and "upgrades" it to https
Categories
(Core Graveyard :: Networking: FTP, defect)
Tracking
(firefox56 fixed)
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox56 | --- | fixed |
People
(Reporter: tom, Assigned: dragana)
Details
(Whiteboard: [necko-next])
Attachments
(2 files, 2 obsolete files)
85.08 KB,
image/jpeg
|
Details | |
3.52 KB,
patch
|
dragana
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170526184742 Steps to reproduce: Visited https://sourceware.org/ and then tried to download ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2. Actual results: The browser tried to load https://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2 instead, which is not a functional link. Expected results: It should have loaded ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2 as requested.
Reporter | ||
Comment 1•7 years ago
|
||
Further tested by using "forget this site" on sourceware.org, after which the ftp link works correctly until I visit https://sourceware.org/ again. All using the Fedora build of Firefox 53.0.3 on Fedora 25.
WFM with FF54 on Win 7. Are you able to reproduce it with a new profile? https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Flags: needinfo?(tom)
Reporter | ||
Comment 3•7 years ago
|
||
I am able to reproduce it with a clean profile yes. I started firefox with a new, clean, profile and loaded the ftp link then the https link and then when I tried to load the ftp link again it converted it to https and 404ed.
Comment 4•7 years ago
|
||
WFM with FF53.0.2 on Fedora 25. Tom, are you using some outgoing web proxy by any chance?
Reporter | ||
Comment 5•7 years ago
|
||
Yes I am, and disabling it stops this happening ;-)
Flags: needinfo?(tom)
Reporter | ||
Comment 6•7 years ago
|
||
Just a warning - the https version of the link now works because sourceware.org have mapped that directory to the web root.
Comment 7•7 years ago
|
||
So this is apparently not a ff issue, but some proxies might not implement HSTS correctly? Note that since a short while ago sourceware now mirrors ftp://sourceware.org/pub/ at https://sourceware.org/pub/ to help people that get such incorrect redirects (making it not a good example of this bug anymore).
Reporter | ||
Comment 8•7 years ago
|
||
No it's still a bug I think, it's just that because it is proxied firefox is seeing it as an http request when it decides whether to apply the HSTS upgrade, but using the HSTS status of the target host to upgrade an http connection to a proxy doesn't seem right.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → dd.mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [necko-next]
Assignee | ||
Comment 9•7 years ago
|
||
"When establishing an HTTP connection to a given host, however instigated, the UA examines its cache of Known HSTS Hosts to see if there are any with domain names that are superdomains of the given host's domain name. ..."
Attachment #8881958 -
Flags: review?(mcmanus)
Comment 10•7 years ago
|
||
even better.. https://tools.ietf.org/html/rfc6797#section-8.3 Whenever the UA prepares to "load" (also known as "dereference") any "http" URI [RFC3986] (including when following HTTP redirects [RFC2616]), the UA MUST first determine whether a domain name is given in the URI and whether it matches a Known HSTS Host, using these steps:
Comment 11•7 years ago
|
||
Comment on attachment 8881958 [details] [diff] [review] bug_1373582.patch Review of attachment 8881958 [details] [diff] [review]: ----------------------------------------------------------------- I think you need both sts priming and regular sts - ProcessSingleSecurityHeader() drives the latter.
Attachment #8881958 -
Flags: review?(mcmanus) → review-
Assignee | ||
Comment 12•7 years ago
|
||
Attachment #8881958 -
Attachment is obsolete: true
Attachment #8882032 -
Flags: review?(mcmanus)
Assignee | ||
Comment 13•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=328078fba7953f2cb7b6d2f59fa5cb9ba2d2c3b5
Comment 14•7 years ago
|
||
Comment on attachment 8882032 [details] [diff] [review] bug_1373582.patch Review of attachment 8882032 [details] [diff] [review]: ----------------------------------------------------------------- you can skip the call to secureupgrade.. with that r+
Attachment #8882032 -
Flags: review?(mcmanus) → review+
Assignee | ||
Comment 15•7 years ago
|
||
Attachment #8882032 -
Attachment is obsolete: true
Attachment #8882054 -
Flags: review+
Assignee | ||
Comment 16•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b05a69e4f185f2dd95eb85e66c1599cf089320eb
Assignee | ||
Comment 17•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/28661214cd0cca6e60b2001af71eb4977fa950b6 Bug 1373582 - Do not apply HSTS to non http. r=mcmanus
Comment 18•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/28661214cd0c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•3 months ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•