282054 2024-10-24 11:37:38 -0700 HSTS should ignore strict-transport-security response headers from localhost 2024-11-08 07:42:59 -0800 1 1 1 Unclassified WebKit New Bugs Safari 18 Unspecified Unspecified NEW BrowserCompat, HTML5, InRadar P2 Normal --- 1 ericlaw webkit-unassigned ahmad.saleem792 annevk karlcow m_finkel webkit-bug-importer wilander oldest_to_newest 2070394 0 ericlaw 2024-10-24 11:37:38 -0700 https://issues.chromium.org/issues/41251622 Strict-Transport-Security response headers can cause problems for localhost web servers because STS applies host-wide, across all ports. This causes compatibility problems for web developers testing locally as well as end-users who use software packages that commonly spin up localhost webservers for ephemeral reasons (e.g. communication of an auth token from a web login to a local software package). If one local listener sets Strict-Transport-Security on a localhost response, it will be applied to all subsequent localhost requests regardless of port. We resolve this problem by ignoring Strict-Transport-Security headers on responses from localhost URLs. 2070422 1 annevk 2024-10-24 14:27:23 -0700 Reportedly Firefox already does this. Eric posted a patch to standardize this behavior in Fetch here: https://github.com/whatwg/fetch/pull/1781 Seems reasonable enough to adopt. 2070424 2 ericlaw 2024-10-24 14:32:05 -0700 Yes, Firefox skips the HSTS upgrade check here: https://searchfox.org/mozilla-central/source/netwerk/base/nsNetUtil.cpp#3040 2070563 3 webkit-bug-importer 2024-10-25 07:44:59 -0700 <rdar://problem/138634128> 2071649 4 ericlaw 2024-10-30 10:52:09 -0700 Chromium change landed for M132: https://chromiumdash.appspot.com/commit/a5e738f2321ce1a2f3cdb34fa70dc76b84af9824 2073836 5 ericlaw 2024-11-08 07:42:59 -0800 As of November 5, 2024, the Fetch standard has been updated to require skipping localhost. https://fetch.spec.whatwg.org/#main-fetch