Open
Bug 997106
Opened 11 years ago
Updated 2 years ago
follow same-origin redirects when testing HSTS preload list candidate hosts
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
REOPENED
People
(Reporter: kyprizel, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140314220517
Steps to reproduce:
Added resource "passport.yandex.ru" to Chromiums HSTS preload list:
https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json
couple of months ago.
Actual results:
Resource still did not appear in Firefoxs HSTS preload list.
Expected results:
"passport.yandex.ru" listed in Firefox's HSTS preload list.
Comment 1•11 years ago
|
||
I just realized there is an error report for your domain in <http://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.errors>, which says
> "passport.yandex.ru: did not receive HSTS header"
I guess this is because the very first request done to <https://passport.yandex.ru> is a redirect that does not contain a Strict-Transport-Security header.
You should be able to fix this on your side by making the redirect include this header.
We could also change our list to follow same-domain HTTPS redirects a bit further...
Comment 2•11 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #1)
> We could also change our list to follow same-domain HTTPS redirects a bit
> further...
That's probably reasonable.
Component: Networking → Security: PSM
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 3•11 years ago
|
||
Changed behaviour of the web server. Can you check if it pass the check now?
Comment 4•11 years ago
|
||
Running locally, it looks like (at least) these new domains will be on the list when the script runs this Saturday:
< { "passport.yandex.by", false },
< { "passport.yandex.com", false },
< { "passport.yandex.com.tr", false },
< { "passport.yandex.kz", false },
< { "passport.yandex.ru", false },
< { "passport.yandex.ua", false },
That said, I still think it's worthwhile doing what :freddyb suggested in comment 1.
Reporter | ||
Comment 5•11 years ago
|
||
Thank you!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Comment 6•11 years ago
|
||
(In reply to David Keeler (:keeler) from comment #4)
> That said, I still think it's worthwhile doing what :freddyb suggested in
> comment 1.
Agreed, which is why I'm reopening this bug.
Another problem I have is that I want to do includeSubDomains for a specific zone (and all sub-zones), but I have nothing on the zone itself that would send HSTS. Basically, I have foo.blah.example.com, bar.blah.example.com, baz.blah.example.com. I want to just add blah.example.com to HSTS preload list with includeSubDomains, so all those other ones are covered. Chrome allows me to do this (and I have entries in their preload list for this already), but the entries aren't carried over to Firefox, as blah.example.com doesn't actually exist to send HSTS header (just the sub-zones).
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Updated•11 years ago
|
Assignee: nobody → dkeeler
Updated•11 years ago
|
Summary: Some entries of Chromiums HSTS list do not appear in Firefoxs one → follow same-origin redirects when testing HSTS preload list candidate hosts
Updated•9 years ago
|
Assignee: dkeeler → nobody
Whiteboard: [psm-backlog]
Updated•7 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•