Re: Redirects and HSTS from Tanvi Vyas on 2014-09-26 (public-webappsec@w3.org from September 2014)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Fri, 26 Sep 2014 12:07:29 -0700
To: Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>
CC: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <5425B971.6070306@mozilla.com>

On 9/26/14 11:27 AM, Ryan Sleevi wrote:
>
>
> On Fri, Sep 26, 2014 at 5:26 AM, Mike West <mkwst@google.com 
> <mailto:mkwst@google.com>> wrote:
>
>     +sleevi
>
>     On Fri, Sep 26, 2014 at 2:24 PM, Anne van Kesteren
>     <annevk@annevk.nl <mailto:annevk@annevk.nl>> wrote:
>
>         On Fri, Sep 26, 2014 at 2:15 PM, Mike West <mkwst@google.com
>         <mailto:mkwst@google.com>> wrote:
>         > Yes, I think that's true.
>
>         Perhaps Gecko's stance that HSTS rewriting happens after Mixed
>         Content
>         is correct. At least for non-same-origin HSTS. :-(
>
>
>     That's how Chrome implements it, actually. Ryan, et al, are
>     dead-set against moving HSTS before mixed content checking, as he
>     claims (correctly) that HSTS only protects those browsers that
>     support it. If we don't throw errors, we're throwing Safari and IE
>     users under a bus.
>
>     -mike
>
>
> Re-reading this thread, I'm not sure we're on the same page.
>
> My understanding from the last time I sync'd with Tanvi was that 
> Mozilla was doing HSTS rewrites before Mixed Content 
> detection/blocing, while Chrome does it after.
> For Chrome, this is tracked in a bug about our Extension API, but 
> which has similar behaviours to HSTS (see 
> https://code.google.com/p/chromium/issues/detail?id=122548#c26 )
> For Mozilla, this is https://bugzilla.mozilla.org/show_bug.cgi?id=838395
>
> That is, Chrome considers it a "Feature", Mozilla consider(ed?) it a "Bug"
Not quite.  Mozilla also does Mixed Content detection/blocking before 
HSTS.  On an https page an active http subresource load is be blocked by 
the Mixed Content Blocker, even if the subresource is on an HSTS page.  
We don't plan to change this behavior right now, but will definitely 
revisit it as we get closer .

There is a project[1] in progress that could have a side effect of 
changing this so that HSTS redirects happen before Mixed Content 
Blocker.  We haven't discussed how we want to handle this yet, but will 
as we get closer to that part of the implementation.

[1] https://wiki.mozilla.org/Security/Features/Revamp_Security_Hooks

Received on Friday, 26 September 2014 19:07:57 UTC