W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Fri, 26 Sep 2014 12:24:20 -0700
Message-ID: <5425BD64.6030108@mozilla.com>
To: Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>
CC: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
On 9/26/14 12:07 PM, Tanvi Vyas wrote:
> Not quite.  Mozilla also does Mixed Content detection/blocking before 
> HSTS.  On an https page an active http subresource load is be blocked 
> by the Mixed Content Blocker, even if the subresource is on an HSTS 
> page.  We don't plan to change this behavior right now, but will 
> definitely revisit it as we get closer .
>
Correction... We don't plan to change this behavior right now.  The last 
fragment was meant to be part of the next statement.

> There is a project[1] in progress that could have a side effect of 
> changing this so that HSTS redirects happen before Mixed Content 
> Blocker.  We haven't discussed how we want to handle this yet, but 
> will as we get closer to that part of the implementation.
>
> [1] https://wiki.mozilla.org/Security/Features/Revamp_Security_Hooks
Received on Friday, 26 September 2014 19:24:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC