875489 - If STS headers are provided without directives, we should post warnings to STSLOG and the web console to inform developers

Status: NEW

(Core :: Networking: HTTP, defect, P5)

Description

[Ivan Alagenchev :ialagenchev]

This code in nsHttpChannel is supposed to retrieve the HSTS header: 

rv = mResponseHead->GetHeader(atom, stsHeader);
 if (rv == NS_ERROR_NOT_AVAILABLE) {
   LOG(("STS: No STS header, continuing load.\n")); 
   return NS_OK;
  }

but if the header is invalid of the following forms: 
Strict-Transport-Security: 
Strict-Transport-Security
and both of the above variations followed by white space then the result from mResponseHead->GetHeader is NS_ERROR_NOT_AVAILABLE. 
We miss that the STS header is present and never reach the code that validates the STS header later on.

Comment 1

[Jason Duell]

Can you provide examples of the exact headers, verbatim, that you think we are ignoring? I'm not clear from your description.

Comment 2

[Sid Stamm [:geekboy or :sstamm]]

I think if the STS header is malformed, we skip it (intentionally).  This is where it's parsed:
http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpHeaderArray.cpp#124

Which requires a colon and a value after the colon and OWS.  What are the exact header name/value pairs that are failing?  Or better yet, do you have a test we can use to reproduce this?

Comment 3

[Ivan Alagenchev :ialagenchev]

Adding this for posterity: 
It is debatable whether this bug is indeed a bug and if we should ever spend the time to fix it. The consensus is that it might be a nice to have feature to warn developers about headers with missing directives, but it also appears to be OK to ignore such headers. We need to revisit later.

Comment 4

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258