- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Fri, 26 Sep 2014 12:07:29 -0700
- To: Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>
- CC: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <5425B971.6070306@mozilla.com>
On 9/26/14 11:27 AM, Ryan Sleevi wrote: > > > On Fri, Sep 26, 2014 at 5:26 AM, Mike West <mkwst@google.com > <mailto:mkwst@google.com>> wrote: > > +sleevi > > On Fri, Sep 26, 2014 at 2:24 PM, Anne van Kesteren > <annevk@annevk.nl <mailto:annevk@annevk.nl>> wrote: > > On Fri, Sep 26, 2014 at 2:15 PM, Mike West <mkwst@google.com > <mailto:mkwst@google.com>> wrote: > > Yes, I think that's true. > > Perhaps Gecko's stance that HSTS rewriting happens after Mixed > Content > is correct. At least for non-same-origin HSTS. :-( > > > That's how Chrome implements it, actually. Ryan, et al, are > dead-set against moving HSTS before mixed content checking, as he > claims (correctly) that HSTS only protects those browsers that > support it. If we don't throw errors, we're throwing Safari and IE > users under a bus. > > -mike > > > Re-reading this thread, I'm not sure we're on the same page. > > My understanding from the last time I sync'd with Tanvi was that > Mozilla was doing HSTS rewrites before Mixed Content > detection/blocing, while Chrome does it after. > For Chrome, this is tracked in a bug about our Extension API, but > which has similar behaviours to HSTS (see > https://code.google.com/p/chromium/issues/detail?id=122548#c26 ) > For Mozilla, this is https://bugzilla.mozilla.org/show_bug.cgi?id=838395 > > That is, Chrome considers it a "Feature", Mozilla consider(ed?) it a "Bug" Not quite. Mozilla also does Mixed Content detection/blocking before HSTS. On an https page an active http subresource load is be blocked by the Mixed Content Blocker, even if the subresource is on an HSTS page. We don't plan to change this behavior right now, but will definitely revisit it as we get closer . There is a project[1] in progress that could have a side effect of changing this so that HSTS redirects happen before Mixed Content Blocker. We haven't discussed how we want to handle this yet, but will as we get closer to that part of the implementation. [1] https://wiki.mozilla.org/Security/Features/Revamp_Security_Hooks
Received on Friday, 26 September 2014 19:07:57 UTC