Bug 290204
| Summary: | [SOUP] HSTS redirection is not updating new URL in UI / window.location.href | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Max Schmitt <max> |
| Component: | WebKitGTK | Assignee: | Patrick Griffis <pgriffis> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bugs-noreply, cgarcia, dpino, mcatanzaro, pgriffis, yurys |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=255218 | ||
Max Schmitt
Looks like https://bugs.webkit.org/show_bug.cgi?id=255218 broke HSTS with redirects from the UI perspective. Not sure if it broke when merging or during the last 2 years. With my repro (https://github.com/microsoft/playwright/issues/35293#issuecomment-2741690676) I was able to reproduce it in Epiphany 46.
How does it surface?
- Its only about HSTS during a redirection
- The URL the browser is surfacing (window.location AND URL bar) is still HTTP
- There is certificate information shown in the browser UI
- The actual content which is fetched is HTTPS (post-HSTS)
- When reverting the change in https://github.com/WebKit/WebKit/pull/12566 it seems to work as expected.
- See the screenshot how it ends up: https://github.com/user-attachments/assets/5cb18f31-e071-4ac1-bd99-38970b3022e3
General notes about HSTS while debugging:
- Doesn't work on localhost
- Doesn't work with self-signed TLS certificate
Downstream issue: https://github.com/microsoft/playwright/issues/35293
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Max Schmitt
I made a public repro:
1. Go to https://webkit.love/
2. Click on the link
Expected: URL bar & window.location.href has HTTPS
Actual: URL bar & window.location.href has HTTP
Note: When navigating to the https:// site it sets the HSTS header, a redirect to http should then immediately get redirected to https://. This works in Safari, Chromium and Firefox.
Patrick Griffis
Pull request: https://github.com/WebKit/WebKit/pull/44099
EWS
Committed 293933@main (577c1fd295e8): <https://commits.webkit.org/293933@main>
Reviewed commits have been landed. Closing PR #44099 and removing active labels.