There are two issues with the current browserid.org -> login.persona.org redirects: 1- https://browserid.org should have the same HSTS headers as login.persona.org: Strict-Transport-Security: max-age=2592000; includeSubdomains 2- http://browserid.org should redirect to https://login.persona.org directly (this one is a fairly minor point, but probably very easy to do)
The second issue is resolved. The first one remains: $ curl --head http://browserid.org HTTP/1.1 301 Moved Permanently Date: Thu, 01 Aug 2013 03:41:18 GMT Server: Apache/2.4.4 (Unix) OpenSSL/1.0.0-fips Location: https://login.persona.org/ Content-Type: text/html; charset=iso-8859-1 $ curl --head https://browserid.org HTTP/1.1 301 Moved Permanently Date: Thu, 01 Aug 2013 03:41:24 GMT Server: Apache/2.4.4 (Unix) OpenSSL/1.0.0-fips Location: https://login.persona.org/ Content-Type: text/html; charset=iso-8859-1 Gene: is there a technical reason preventing us from adding the HSTS header to the https://browserid.org -> https://login.persona.org redirect?
François, not that I know of, we just need to find an apache directive that does what you're looking for. It would go in the apache config here https://github.com/mozilla/identity-ops/blob/master/chef/cookbooks/persona-rootzone/templates/default/etc/httpd/conf.d/rootzone.conf.erb I'll need to look for a setting to do this
I have prepared a pull request for this: https://github.com/mozilla/identity-ops/pull/136
Closing since this is now tracked on Github.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.