Re: Redirects and HSTS from Tanvi Vyas on 2014-09-26 (public-webappsec@w3.org from September 2014)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Fri, 26 Sep 2014 10:22:02 -0700
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <5425A0BA.3090207@mozilla.com>

Regardless of how HSTS and mixed content interact, the problem Anne 
describes can still exist on an http non-HSTS page.  The http page can 
embed <img src=http://hsts-target.example/ onload=visited() 
onerror=notvisited()> and Mixed Content Blocker would never be invoked 
to prevent the http page from discovering whether the user has visited 
the target page.

On 9/26/14 5:26 AM, Mike West wrote:
> +sleevi
>
> On Fri, Sep 26, 2014 at 2:24 PM, Anne van Kesteren <annevk@annevk.nl 
> <mailto:annevk@annevk.nl>> wrote:
>
>     On Fri, Sep 26, 2014 at 2:15 PM, Mike West <mkwst@google.com
>     <mailto:mkwst@google.com>> wrote:
>     > Yes, I think that's true.
>
>     Perhaps Gecko's stance that HSTS rewriting happens after Mixed Content
>     is correct. At least for non-same-origin HSTS. :-(
>
>
> That's how Chrome implements it, actually. Ryan, et al, are dead-set 
> against moving HSTS before mixed content checking, as he claims 
> (correctly) that HSTS only protects those browsers that support it. If 
> we don't throw errors, we're throwing Safari and IE users under a bus.
>
> -mike
>

Received on Friday, 26 September 2014 17:22:31 UTC