Bug 282054
| Summary: | HSTS should ignore strict-transport-security response headers from localhost | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Eric Lawrence (MSFT) <ericlaw> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | ahmad.saleem792, annevk, karlcow, m_finkel, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | BrowserCompat, HTML5, InRadar |
| Version: | Safari 18 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Eric Lawrence (MSFT)
https://issues.chromium.org/issues/41251622
Strict-Transport-Security response headers can cause problems for localhost web servers because STS applies host-wide, across all ports. This causes compatibility problems for web developers testing locally as well as end-users who use software packages that commonly spin up localhost webservers for ephemeral reasons (e.g. communication of an auth token from a web login to a local software package). If one local listener sets Strict-Transport-Security on a localhost response, it will be applied to all subsequent localhost requests regardless of port. We resolve this problem by ignoring Strict-Transport-Security headers on responses from localhost URLs.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Anne van Kesteren
Reportedly Firefox already does this. Eric posted a patch to standardize this behavior in Fetch here: https://github.com/whatwg/fetch/pull/1781
Seems reasonable enough to adopt.
Eric Lawrence (MSFT)
Yes, Firefox skips the HSTS upgrade check here:
https://searchfox.org/mozilla-central/source/netwerk/base/nsNetUtil.cpp#3040
Radar WebKit Bug Importer
<rdar://problem/138634128>
Eric Lawrence (MSFT)
Chromium change landed for M132: https://chromiumdash.appspot.com/commit/a5e738f2321ce1a2f3cdb34fa70dc76b84af9824
Eric Lawrence (MSFT)
As of November 5, 2024, the Fetch standard has been updated to require skipping localhost.
https://fetch.spec.whatwg.org/#main-fetch