- From: arturjanc <notifications@github.com>
- Date: Wed, 30 May 2018 10:53:16 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/687/393257138@github.com>
I hear your concern, but there are two subtleties worth pointing out: 1. HSTS only helps here if you set it with `includeSubDomains` -- otherwise an attacker can pick an arbitrary non-existent subdomain and get same-site access to the HTTPS application they want to attack. A large number of sites using HSTS do not set `includeSubdomains` (at first glance: HSTS on google.com, apple.com, mozilla.org, and microsoft.com does not have it, and neither do 3 of my favorite banks even though they all use HSTS). Perhaps Chrome has telemetry to disprove this in case it's just my sampling bias? 2. Not having HSTS certainly exposes you to some attacks -- e.g. SSL stripping, leaking non-Secure cookies -- but in general HTTP content does not receive special privileges to access HTTPS data served from the same site/domain. This is both because the usual SOP restrictions consider these to be distinct origins (obviously), and because security features only expose keywords to specify a same-origin relationship (e.g. `X-Frame-Options: SAMEORIGIN` or CSP `'self'`) and require explicit opt-in to all interactions with insecure content (e.g. if an HTTPS application wants to allow interactions from HTTP via postMessage or CORS it has to directly safelist the `http:` URL). I'm worried about creating a situation where insecurely delivered same-domain content will start getting special privileges to access data delivered over HTTPS -- it will make `same-site` interactions unsafe by default (unless they are coupled with site-wide enforcement of HTTPS, which is still rare). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-393257138
Received on Wednesday, 30 May 2018 17:53:39 UTC