Open Bug 2010438 Opened 9 hours ago Updated 9 hours ago

Upgrade insecure requests wrongly upgrades unsupported ports coming from iframes

Tracking

()

Status:

ASSIGNED

People

(Reporter: jkt, Assigned: jkt)

Details

Attachments

(1 file)

Bug 2010438 - Prevent upgrade insecure requests from upgrading unsupported ports from iframes. r?smaug 9 hours ago Jonathan Kingston [:jkt] he/him 48 bytes, text/x-phabricator-request		Details \| Review

Jonathan Kingston [:jkt] he/him

Assignee

Description

•

9 hours ago

testing/web-platform/meta/upgrade-insecure-requests/link-upgrade.sub.https.html.ini lists the following fails:

[./link-upgrade/iframe-top-navigation-upgrade-1.sub.html]
[./link-upgrade/iframe-top-navigation-upgrade-2.sub.html]
[./link-upgrade/iframe-top-navigation-upgrade-meta.sub.html]

Gecko is incorrectly applying upgrade-insecure-requests (UIR) to top-level HTTP navigations initiated from iframes, regardless of whether the upgrade would actually work.

The problem: UIR changes http://host:port → https://host:port (same port number). This breaks when the server doesn't have HTTPS on that port.

Jonathan Kingston [:jkt] he/him

Assignee

Comment 1

•

9 hours ago

Attached file Bug 2010438 - Prevent upgrade insecure requests from upgrading unsupported ports from iframes. r?smaug — Details

Phabricator Automation

Updated

•

9 hours ago

Assignee: nobody → jonathan

Status: NEW → ASSIGNED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Upgrade insecure requests wrongly upgrades unsupported ports coming from iframes

Categories

(Core :: DOM: Security, defect)

Tracking

()

People

(Reporter: jkt, Assigned: jkt)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Attachment

General

Description

File Name

Content Type