- From: Ian Melven <imelven@mozilla.com>
- Date: Tue, 15 Jan 2013 10:20:29 -0800 (PST)
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webappsec <public-webappsec@w3.org>
yes, you're right it's not specific to HSTS necessarily, although HSTS may make this situation more common. thanks, ian ----- Original Message ----- From: "Adam Barth" <w3c@adambarth.com> To: "Ian Melven" <imelven@mozilla.com> Cc: "public-webappsec" <public-webappsec@w3.org> Sent: Tuesday, January 15, 2013 12:07:50 AM Subject: Re: CSP interacting with HSTS Won't the same issue occur if a web site starts redirecting http traffic to https? HSTS is just a browser-side redirect. Adam On Mon, Jan 14, 2013 at 2:15 PM, Ian Melven <imelven@mozilla.com> wrote: > > Hi, > > In https://bugzilla.mozilla.org/show_bug.cgi?id=826805 , Brian Smith brought > up a possible problematic interaction with CSP and HSTS : > > "Because of HSTS, which can cause of to automatically redirect HTTP requests to HTTPS, we need to interpret a "http:" > scheme-source as "http: https:", and we need to interpet a host-source of the form "http://host[:port]" as "http://host[:port] https://host:[port]". > > Otherwise, if we get the CSP directive before the site turns on HSTS, and then later the site turns on HSTS, > the site will break. In particular, consider the case where we've cached a page in the HTTP response cache with > a CSP with scheme-sources of the form "http:", which references sub-resources (using http:// URLs) of a > newly-HSTS-enabled site. Without this change, that page would be broken until it is evicted from the cache, > because HSTS will rewrite the http:// URLs as https:// URLs, and then CSP will block the https:// content from loading." > > regardless of caching, for example if http://a.com contains images from > http://b.com and has a CSP of image-src: http://b.com , if b.com turns on > HSTS, this will break. > > other places in Gecko explicitly handle this situation - I'm informed that websockets for example > will generally not follow a redirect without an implemented redirect header, EXCEPT in the case > where the redirect is to an identical URL with a wss: scheme instead of a ws: scheme. > > thoughts/comments welcome ! > > thanks, > ian >
Received on Tuesday, 15 January 2013 18:20:56 UTC