Bug 255218

Summary:	[SOUP] Do not handle HSTS upgrade as a redirection in case of redirection
Product:	WebKit	Reporter:	Carlos Garcia Campos <cgarcia>
Component:	WebKitGTK	Assignee:	Carlos Garcia Campos <cgarcia>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bugs-noreply, max, mcatanzaro
Priority:	P2	Keywords:	Gtk
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Carlos Garcia Campos

Reported 2023-04-10 00:57:48 PDT

We handle HSTS upgrades as a redirection to let Web and UI processes know about the URL change, but in case of redirection, the new request is originated in the network process, so we can just update the URL.

Attachments
Add attachment proposed patch, testcase, etc.

Carlos Garcia Campos

Comment 1 2023-04-10 00:59:59 PDT

Pull request: https://github.com/WebKit/WebKit/pull/12566

EWS

Comment 2 2023-04-11 01:48:06 PDT

Committed 262817@main (cebc10654f3c): <https://commits.webkit.org/262817@main> Reviewed commits have been landed. Closing PR #12566 and removing active labels.

Max Schmitt

Comment 3 2025-03-21 10:07:17 PDT

Looks like this patch broke HSTS with redirects from the UI perspective. Not sure if it broke when merging or during the last 2 years. With my repro (https://github.com/microsoft/playwright/issues/35293#issuecomment-2741690676) I was able to reproduce it in Epiphany 46. How does it surface? - Its only about HSTS during a redirection - The URL the browser is surfacing (window.location AND URL bar) is still HTTP - There is certificate information shown in the browser UI - The actual content which is fetched is HTTPS (post-HSTS) - When reverting the change in https://github.com/WebKit/WebKit/pull/12566 it seems to work as expected. - See the screenshot how it ends up: https://github.com/user-attachments/assets/5cb18f31-e071-4ac1-bd99-38970b3022e3 General notes about HSTS while debugging: - Doesn't work on localhost - Doesn't work with self-signed TLS certificate Downstream issue: https://github.com/microsoft/playwright/issues/35293

Michael Catanzaro

Comment 4 2025-03-21 10:59:07 PDT

We will need a new bug report for this, please!

Max Schmitt

Comment 5 2025-03-21 12:51:25 PDT

Done in https://bugs.webkit.org/show_bug.cgi?id=290204

Note You need to log in before you can comment on or make changes to this bug.