Bug 199439
| Summary: | Force HSTS for sites that doesn't support HTTPS | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mykola Dekhtiarenko <Mykola_Dekhtiarenko> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Major | CC: | bfulgham, wilander |
| Priority: | P2 | ||
| Version: | Safari Technology Preview | ||
| Hardware: | Mac | ||
| OS: | macOS 10.14 | ||
Mykola Dekhtiarenko
Here is the situation: there two web pages on the same host but on different ports and first one has HTTPS and other one doesn't. After visiting the one that has HTTPS it's impossible to reach second one because safari forces https for all of the webpages with same host without considering port.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
This sounds like how HSTS is supposed to work. What exactly do you see as a WebKit bug here?
Mykola Dekhtiarenko
The problem here that it's not the same site. One is the real system we are developing(this is the one that has HTTPS) and another one is just some kind of mock system that provides different stubs for third party system we are using. This mock system has web page that was made to configure it's behavior and after first visit of real system there is no way to reach mock one because safari forces HTTPS there.
By the way, I checked this case on Chrome and Firefox and I was able to reach mock one after visiting the one with the real system.
Brent Fulgham
And the site is not setting the upgrade insecure request or HSTS headers?
This could be due to a safari feature that will preferentially visit the HTTPS version of the site once it knows it exists.
Have you tried deleting website data for the origin?
Mykola Dekhtiarenko
I have checked responses and yes, origin returns "Strict-Transport-Security: max-age=31536000; includeSubDomains" header.
I've deleted website data and it haven't helped. To stop such behavior I should also delete HSTS.plist file but it works only until visiting original one.
If it's expected behavior is it any switch or extension with which it's possible to turn it off for testing purpose? And I should mention this again it behaves like that only in Safari, so, I just wonder why is it different?