Closed Bug 1557399 Opened 5 years ago Closed 5 years ago

Upgrade-Insecure-Requests - misinterpreting location header in the response

Categories

(Core :: DOM: Security, defect)

60 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1422284

People

(Reporter: gorelen, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Firefox 60.6.1esr (64-bit): We have developers, running Django 'runserver', which creates a dev HTTP server, running on a specified port - webapp A. This app is using a separate webapp B, which runs under HTTPS. Webapp A has a link to webapp B and user either stays in webapp B or redirects back to webapp A.
In production environment webapp A runs also under HTTPS and everything works fine. In the dev environment webapp A runs as HTTP , webapp B as HTTPS.
The HTTP transaction, just before redirect back to weebapp B looks like:

The request headers
... SKIPPED ...
Connection keep-alive
... SKIPPED ...
Upgrade-Insecure-Requests 1
User-Agent Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/60.0

The response headers
... SKIPPED ...
content-security-policy upgrade-insecure-requests
... SKIPPED ...
location http://<webapp-A-host-name>:<PORT>
... SKIPPED ...
vary Accept-Encoding
... SKIPPED ...

status 303

Actual results:

FireFox issues GET request to to https://<webapp-A-host-name>:<PORT>

This breaks our development, because simple Django dev server is a simple HTTP, not HTTPS.

Expected results:

FireFox should issue GET request to to http://<webapp-A-host-name>:<PORT> as in the 'location' header in the server response and not misinterpret its value. there is not mention of this behavior in https://www.w3.org/TR/upgrade-insecure-requests/

In Chrome this works as expected: it issues GET request to http://<webapp-A-host-name>:<PORT>

Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.