Closed Bug 837952 Opened 12 years ago Closed 12 years ago

HSTS is still enforced when sending a HTTP header with max-age=0

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
20 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: 810d4rk, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Build ID: 20130117041235 Steps to reproduce: Sending a HSTS HTTP header to force HTTPS and with a high value Header always set Strict-Transport-Security "max-age=399999; includeSubDomains" Them after firefox forces HTTPS for the whole domain it ignores a new header with 0 as the value. Header always set Strict-Transport-Security "max-age=0; includeSubDomains" Actual results: All pages where still HTTPS enforced. Expected results: All pages should stop to be HTTPS enforced.
Wouldn't hSTS not useless if it accepts lower values ?
Component: Untriaged → Security: PSM
Product: Firefox → Core
Matti: I don't know if this is what you're asking, but if a host sends an HSTS header with max-age=0, the user agent is supposed to clear HSTS state for that host. Biodark: My first guess as to what's going on is that subdomains can't clear HSTS state for superdomains. Example: example.com sends "max-age=399999; includeSubdomains" child.example.com sends "max-age=0" child.example.com is still observed to be an HSTS host (which is to be expected, as that's how HSTS is specified to work) Anyway, if that's not the issue, more information would help us diagnose the problem. For instance, what hosts are sending what headers? Is there a public site you can point us to, with specific steps to reproduce the issue?
I was sending the HSTS header with a high value in a htaccess file at the root of the domain but them changed the value to 0 so the HTTPS enforcement would stop but it doesn't stop. I removed the .mozilla directory to try with a clean profile and the problem doesn't appear, but appears with the old directory even when running with the restart with all addons disabled option.
I can't reproduce this locally. What does the web console say? (Tools -> Web Developer -> Web Console) In particular, what URLs are fetched and what do the response HSTS headers say before and after you change max-age?
Flags: needinfo?(810d4rk)
This is very strange the bug stopped being reproducible by me, the webconsole doesn't say anything about HSTS, but I can see the URLs are being fetched correctly now by HTTP and HTTPS when I test, maybe this was fixed on 18.0.2 or the bug just become more difficult to spot.
Flags: needinfo?(810d4rk)
Well, I'll close this for now, but feel free to reopen if it happens again.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
It is happening again...
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Version: 18 Branch → 20 Branch
In the web console, you can click on individual requests and look at the response headers the server sends. If you paste what you're seeing for the Strict-Transport-Security header, it may help diagnose and fix this problem.
Flags: needinfo?(810d4rk)
OK, I found the problem, the problem is that it takes some time for firefox to apply the new header changes, when I reopened this bug it never applied the new changes, I think, but now it takes 2 requests and two responses for it to apply.
Flags: needinfo?(810d4rk)
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.