HSTS not being applied to resources |
||||||
Issue descriptionVersion: 50.0.2661.49 OS: Ubuntu 14.04 What steps will reproduce the problem? (1) Visit https://gauntface.com (This site has HSTS) (2) Go to a http URL (3) In DevTools, start network recording (4) In the console run fetch('http://gauntface.com'); *Notice the HTTP protocol (5) In the console run new Image().src = 'http://gauntface.com'; *Again notice the HTTP protocol (6) Now go back to the network panel What is the expected output? The initial fetch request should be upgraded to HTTPS. The image request should be upgraded to HTTPS. (In FF this results in a 304 Not Modified response as well) What do you see instead? Both fetch and image request make a request for the HTTP page which are then redirected to the HTTPS resource. Further note: This also has an affect on service workers (SW). SW will receive the HTTP request rather than the upgraded HTTPS request.
,
Mar 31 2016
Apologies if these are stupid questions: Looking at https://fetch.spec.whatwg.org/#main-fetch point 7 I was under the impression that it wasn't to spec: "Set request's current url's scheme to "https" if all of the following conditions are true....", one of which is HSTS. At the moment the behavior between Firefox and Chrome is different, is Chrome to spec and Firefox implementing some of the proposed changes in the linked doc?
,
Mar 31 2016
Ah. I think I should actually read the bug before repling to what I think you're asking: > Looking at https://fetch.spec.whatwg.org/#main-fetch point 7 Mixed content checking happens in step 5, so: * `fetch` should block the request before it zings through HSTS, because it's blockable mixed content. * `<img>` will degrade the omnibox by making it less green, then hit the //net stack where it's upgraded to HTTPS before it hits the network. You'll see a 307 status in devtools, which is an internal detail of the way our network stack works. It does look like there's a bug in the latter, in that we're not applying HSTS before we send the request to the service worker. You're entirely correct that the service worker shouldn't see the `http`. Reassigning to horo@ to take a look (though I think this is going to be a bit difficult to fix, given the way things are layered at the moment).
,
Mar 31 2016
In the steps above, it's a HTTP page requesting a HTTPS resource, so the mixed content warning shouldn't be a problem here. The SW issue I actually hit via localhost testing of a library - at which point I spotted the difference between FF and Chrome. thanks for looking into this Mike.
,
Aug 1 2016
,
Feb 18 2017
,
Nov 10 2017
,
Jan 13 2018
Mike: Is HSTS Priming still going on? I'm wondering if this is WontFix/WorkingAsIntended otherwise =)
,
Jan 16 2018
Priming is dead. Long live automatic upgrading in MIX2 (https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md). That said, if there are still behavioral differences between our implementation and Firefox's for service workers, we should look into that.
,
Feb 18 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mkwst@chromium.org
, Mar 31 2016Components: Blink>SecurityFeature
Labels: -Type-Bug OS-Android OS-Chrome OS-Mac OS-Windows Type-Feature
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)