[fetch] Exempt HSTS-upgraded resources from mixed content blocking (#150) from bifurcation on 2015-10-30 (public-webapps-github@w3.org from October 2015)

From: bifurcation <notifications@github.com>
Date: Thu, 29 Oct 2015 22:25:01 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/150@github.com>

The overall goal of this issue is to have HSTS upgrades taken into account at the same level as upgrades via upgrade-insecure-requests, in particular, so URLs that are upgraded through HSTS would not be blocked by mixed content blocking or CSP. There's an easy part and a hard part to this.

The easy part is reversing HSTS and MCB/CSP. I think all that needs to be done for this is to update the [main fetch](https://fetch.spec.whatwg.org/#main-fetch) algorithm to take the HSTS upgrade step (#6) and put it immediately after the upgrade-insecure-requests step (#3). That seems like it will prevent HSTS-upgraded loads from getting blocked as insecure.

However, because HSTS information is discovered through browsing, this leads to an unfortunate indeterminism -- the web developer doesn't know whether a visitor to his site will have all the HSTS information necessary to resolve MCB issues.

The hard part is resolving this indeterminacy. In order to do that, ISTM that the right answer is to actively probe for HSTS, i.e., prime the HSTS cache. (Aside: You could do this HSTS probing more broadly, but it's especially important here.) I think the important thing to change here is the following:

> If should fetching request be blocked as mixed content or should fetching request be blocked by Content Security Policy returns blocked, set response to a network error. [MIX] [CSP]

* Define an "HSTS priming fetch".
* This should send a request to the root of a URL of some innocuous method (HEAD?), without credentials.
* Depending on whether there's an HSTS header in the response, the host should be marked as a Known HSTS Host or a Known Non-HSTS Host.
* The "Known Non-HSTS Host" status is new. The UA must cache this state for the duration of the main fetch, and may cache it for longer to avoid future priming fetches.
* Update the negative CSP/MCB branch ("If should fetching request be blocked as mixed content or should fetching request be blocked by Content Security Policy returns blocked, set response to a network error. [MIX] [CSP]"):
* If the host is a Known Non-HSTS Host, return a network error
* Otherwise, perform an HSTS priming fetch and re-try the fetch

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/150

Received on Friday, 30 October 2015 05:25:32 UTC