Re: CSP interacting with HSTS

yes, you're right it's not specific to HSTS necessarily, although
HSTS may make this situation more common. 


----- Original Message -----
From: "Adam Barth" <>
To: "Ian Melven" <>
Cc: "public-webappsec" <>
Sent: Tuesday, January 15, 2013 12:07:50 AM
Subject: Re: CSP interacting with HSTS

Won't the same issue occur if a web site starts redirecting http
traffic to https?  HSTS is just a browser-side redirect.


On Mon, Jan 14, 2013 at 2:15 PM, Ian Melven <> wrote:
> Hi,
> In , Brian Smith brought
> up a possible problematic interaction with CSP and HSTS :
> "Because of HSTS, which can cause of to automatically redirect HTTP requests to HTTPS, we need to interpret a "http:"
> scheme-source as "http: https:", and we need to interpet a host-source of the form "http://host[:port]" as "http://host[:port] https://host:[port]".
> Otherwise, if we get the CSP directive before the site turns on HSTS, and then later the site turns on HSTS,
> the site will break. In particular, consider the case where we've cached a page in the HTTP response cache with
> a CSP with scheme-sources of the form "http:", which references sub-resources (using http:// URLs) of a
> newly-HSTS-enabled site. Without this change, that page would be broken until it is evicted from the cache,
> because HSTS will rewrite the http:// URLs as https:// URLs, and then CSP will block the https:// content from loading."
> regardless of caching, for example if contains images from
> and has a CSP of image-src: , if turns on
> HSTS, this will break.
> other places in Gecko explicitly handle this situation - I'm informed that websockets for example
> will generally not follow a redirect without an implemented redirect header, EXCEPT in the case
> where the redirect is to an identical URL with a wss: scheme instead of a ws: scheme.
> thoughts/comments welcome !
> thanks,
> ian

Received on Tuesday, 15 January 2013 18:20:56 UTC