Bug 63097

Summary: bugs.webkit.org should use Strict-Transport-Security
Product: WebKit Reporter: Adam Barth <abarth>
Component: New BugsAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: aroben, cevans, eric, webkit.review.bot, wsiegrist
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Adam Barth
Reported 2011-06-21 15:18:41 PDT
bugs.webkit.org should use Strict-Transport-Security
Attachments
Patch (1.12 KB, patch)
2011-06-21 15:19 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-06-21 15:19:52 PDT
Created attachment 98062 [details] Patch
Adam Barth
Comment 2 2011-06-21 15:20:34 PDT
Comment on attachment 98062 [details] Patch My Apache is somewhat rusty, so patch is somewhat of a guess.
Eric Seidel (no email)
Comment 3 2011-06-21 15:25:02 PDT
SGTM.
Eric Seidel (no email)
Comment 4 2011-06-21 15:25:02 PDT
SGTM.
Chris Evans
Comment 5 2011-06-21 15:28:51 PDT
What about ;includeSubDomains (or however it is spelled) It defends against some additional faults in corner cases. Does this cover the attachment origins too? (e.g. https://bug-63097-attachments.webkit.org/)
Adam Barth
Comment 6 2011-06-21 15:40:51 PDT
> What about ;includeSubDomains (or however it is spelled) > It defends against some additional faults in corner cases. Looks like bugzilla only uses host cookies, so we probably don't need this. (It's not useful for integrity unless we can get all of webkit.org, which seems unlikely.) > Does this cover the attachment origins too? (e.g. https://bug-63097-attachments.webkit.org/) I believe so, but wms would know better than I.
WebKit Review Bot
Comment 7 2011-06-21 18:05:06 PDT
Comment on attachment 98062 [details] Patch Clearing flags on attachment: 98062 Committed r89399: <http://trac.webkit.org/changeset/89399>
WebKit Review Bot
Comment 8 2011-06-21 18:05:10 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.