Pull request: https://github.com/WebKit/WebKit/pull/12566

Committed 262817@main (cebc10654f3c): <https://commits.webkit.org/262817@main> Reviewed commits have been landed. Closing PR #12566 and removing active labels.

Looks like this patch broke HSTS with redirects from the UI perspective. Not sure if it broke when merging or during the last 2 years. With my repro (https://github.com/microsoft/playwright/issues/35293#issuecomment-2741690676) I was able to reproduce it in Epiphany 46. How does it surface? - Its only about HSTS during a redirection - The URL the browser is surfacing (window.location AND URL bar) is still HTTP - There is certificate information shown in the browser UI - The actual content which is fetched is HTTPS (post-HSTS) - When reverting the change in https://github.com/WebKit/WebKit/pull/12566 it seems to work as expected. - See the screenshot how it ends up: https://github.com/user-attachments/assets/5cb18f31-e071-4ac1-bd99-38970b3022e3 General notes about HSTS while debugging: - Doesn't work on localhost - Doesn't work with self-signed TLS certificate Downstream issue: https://github.com/microsoft/playwright/issues/35293

We will need a new bug report for this, please!

Done in https://bugs.webkit.org/show_bug.cgi?id=290204