157885 – CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header

Bug 157885 - CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header

Summary: CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Req...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Brent Fulgham

URL:
Keywords:	InRadar

Depends on:	143653
Blocks:
	Show dependency tree / graph

Reported:	2016-05-18 23:33 PDT by Brent Fulgham
Modified:	2018-11-13 17:00 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brent Fulgham 2016-05-18 23:33:47 PDT

The 'Upgrade-Insecure-Requests' specification <https://w3c.github.io/webappsec/specs/upgrade/> suggests an optimization to sending the header, limiting it to sites that are not known canonical HSTS targets.

We should implement this check and avoid adding the header when it is not needed.

Comment 1 Radar WebKit Bug Importer 2016-05-19 12:38:08 PDT

<rdar://problem/26374345>

Comment 2 Michael Catanzaro 2018-11-13 17:00:43 PST

There's a FIXME for this in FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded.