157885 – CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header

NEW 157885

CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header

https://bugs.webkit.org/show_bug.cgi?id=157885

Summary CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Req...

Brent Fulgham

Reported 2016-05-18 23:33:47 PDT

The 'Upgrade-Insecure-Requests' specification <https://w3c.github.io/webappsec/specs/upgrade/> suggests an optimization to sending the header, limiting it to sites that are not known canonical HSTS targets. We should implement this check and avoid adding the header when it is not needed.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-05-19 12:38:08 PDT

<rdar://problem/26374345>

Michael Catanzaro

Comment 2 2018-11-13 17:00:43 PST

There's a FIXME for this in FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Brent Fulgham

Reported

2016-05-18 23:33 PDT

Modified

2018-11-13 17:00 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

143653

Blocks

Dependencies

tree graph