RE: HSTS priming vs preloading from Ben Wilson on 2016-02-01 (public-webappsec@w3.org from February 2016)

From: Ben Wilson <ben.wilson@digicert.com>
Date: Mon, 1 Feb 2016 20:50:51 +0000
To: Jim Manico <jim.manico@owasp.org>, Richard Barnes <rbarnes@mozilla.com>
CC: Eric Mill <eric@konklone.com>, Mike West <mkwst@google.com>, Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <a824a796cbf149fe85b2a7ec6c60c5be@EX2.corp.digicert.com>

Excuse my ignorance, but does this mean that there is consensus that preloading HSTS should occur before checking for mixed content?  

Also, I’m assuming that this discussion is related to the proposal found here - https://www.w3.org/TR/upgrade-insecure-requests/.

Is there somewhere else I could look to read more about this interesting topic?

Thanks,

Ben

 

From: Jim Manico [mailto:jim.manico@owasp.org] 
Sent: Tuesday, January 19, 2016 9:49 AM
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Eric Mill <eric@konklone.com>; Mike West <mkwst@google.com>; Jim Manico <jim@manicode.com>; public-webappsec@w3.org
Subject: Re: HSTS priming vs preloading

 

I am just looking for (or am considering creating if none exists) a test to see how browsers handle HSTS and mixed content decisions. I just want to understand current behavior today access all browser that support HSTS. 

- Jim

On 1/19/16 11:46 AM, Richard Barnes wrote:

Which "this" do you mean?  If you mean "taking HSTS into account for MIX decisions", then you're not going to get much, since AFAIK no browser has implemented it yet.

 

On Tue, Jan 19, 2016 at 10:00 AM, Jim Manico <jim.manico@owasp.org <mailto:jim.manico@owasp.org> > wrote:

Does anyone have an online test for this? I think understand and standardizing this behavior is important.

- Jim 

 

On 1/18/16 3:11 PM, Eric Mill wrote:

On Mon, Jan 18, 2016 at 7:11 AM, Mike West <mkwst@google.com <mailto:mkwst@google.com> > wrote:

On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com <mailto:jim@manicode.com> > wrote:

Forgive this indulgence, but does HSTS preloading have the same benefits of HSTS priming since preloaded HSTS would occur before the mixed content check?

 

Yes. Basically, we'd only do a priming ping if the origin being requested wasn't already marked as HSTSized in the user's local browser. The fact that we _would_ do a priming ping for non-secure origins that aren't in the local browser's HSTS list ensures that we can do the upgrade without breakage.

 

I may be remembering wrong, but I didn't think HSTS alone (preloaded or dynamic) would resolve mixed content issues. 

 

The stated concern with allowing HSTS to affect mixed-content rendering is that it would create different experiences per-user/session, and preloading does mitigate this concern, but I didn't think there was an actual code path in Chrome (or other browsers) where it decides to allow HSTS to override mixed content if the HSTS policy was preloaded. 

 

-- Eric

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Monday, 1 February 2016 20:51:32 UTC