Bug 157885

Summary: CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebCore Misc.Assignee: Brent Fulgham <bfulgham>
Status: NEW    
Severity: Normal CC: bfulgham, csaavedra, mcatanzaro, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 143653    
Bug Blocks:    

Brent Fulgham
Reported 2016-05-18 23:33:47 PDT
The 'Upgrade-Insecure-Requests' specification <https://w3c.github.io/webappsec/specs/upgrade/> suggests an optimization to sending the header, limiting it to sites that are not known canonical HSTS targets. We should implement this check and avoid adding the header when it is not needed.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-05-19 12:38:08 PDT
<rdar://problem/26374345>
Michael Catanzaro
Comment 2 2018-11-13 17:00:43 PST
There's a FIXME for this in FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded.
Note You need to log in before you can comment on or make changes to this bug.