Open
Bug 1431043
Opened 8 years ago
Updated 3 years ago
webRequest.onHeadersReceived cannot trigger HSTS on cached requests
Categories
(WebExtensions :: Request Handling, defect, P3)
WebExtensions
Request Handling
Tracking
(Not tracked)
REOPENED
People
(Reporter: jwkbugzilla, Unassigned)
References
(Depends on 1 open bug)
Details
+++ This bug was initially created as a clone of Bug #1418275 +++
With bug 1418275 fixed, I am still stuck with Enforce Encryption encryption. In order to enable HSTS my extension triggers a request with `cache: "force-cache"` flag - having it hit the network is really undesirable. It then does the following in the onHeadersReceived handler:
let headers = details.responseHeaders || [];
headers.push({
name: "Strict-Transport-Security",
value: "max-age=31536000000"
});
return {responseHeaders: headers};
This works in Chrome, the site gets HSTS enabled as the result. In Firefox (tested in 59.0a1 2018-01-15 nightly) it has no effect for cached requests however. Looking into the source code, it seems that no HSTS processing happens for cached requests. This seems wrong: even a cached response should renew HSTS if it happened to expire in the meantime (yes, this is quite some edge case).
| Reporter | ||
Comment 1•8 years ago
|
||
It should say "Enforce Encryption extension" in the previous post of course.
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Comment 3•8 years ago
|
||
Actually I wanted to keep this open to keep it in a bug list under webextensions (and thus on my radar)
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Updated•8 years ago
|
Product: Toolkit → WebExtensions
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•