Closed Bug 1719770 Opened 4 years ago Closed 3 years ago

Redirect to http:// with HSTS is not upgraded by HTTPS-Only

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1722489
Tracking Flags:
Tracking Status
firefox91 --- affected

People

(Reporter: mt, Assigned: t.yavor)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Bug 1719770 - Redirect to http:// with HSTS is not upgraded by HTTPS-Only. r=ckerschb
48 bytes, text/x-phabricator-request
Details | Review

I have HTTPS-Only mode enabled. For some reason, there is a bug on a server that causes a request to https://XXX/long.url... to be return an HTTP 302 to http://XXX/login.page....

This is the first request I have made to that origin, so maybe the strict-transport-security that is included in the response hasn't taken hold yet. What is most curious is that the subsequent request is upgraded by neither HSTS nor HTTPS-Only. I get the warning interstitial instead.

This is reproducible, but I won't share the URL publicly because I don't want to 0-day the server. I can share details privately.

Blocks: https-only-mode
Severity: -- → S2
Priority: -- → P2
Whiteboard: [domsecurity-backlog1]

Tomer, can you please investigate? I'll share a link with you privately.

Flags: needinfo?(lyavor)
Assignee: nobody → lyavor
Flags: needinfo?(lyavor)
Depends on: 1722489
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: