NEW 282054
HSTS should ignore strict-transport-security response headers from localhost 
https://bugs.webkit.org/show_bug.cgi?id=282054
Summary HSTS should ignore strict-transport-security response headers from localhost
Eric Lawrence (MSFT)
Reported 2024-10-24 11:37:38 PDT
https://issues.chromium.org/issues/41251622 Strict-Transport-Security response headers can cause problems for localhost web servers because STS applies host-wide, across all ports. This causes compatibility problems for web developers testing locally as well as end-users who use software packages that commonly spin up localhost webservers for ephemeral reasons (e.g. communication of an auth token from a web login to a local software package). If one local listener sets Strict-Transport-Security on a localhost response, it will be applied to all subsequent localhost requests regardless of port. We resolve this problem by ignoring Strict-Transport-Security headers on responses from localhost URLs.
Attachments
Add attachment proposed patch, testcase, etc.
Anne van Kesteren
Comment 1 2024-10-24 14:27:23 PDT
Reportedly Firefox already does this. Eric posted a patch to standardize this behavior in Fetch here: https://github.com/whatwg/fetch/pull/1781 Seems reasonable enough to adopt.
Eric Lawrence (MSFT)
Comment 2 2024-10-24 14:32:05 PDT
Yes, Firefox skips the HSTS upgrade check here: https://searchfox.org/mozilla-central/source/netwerk/base/nsNetUtil.cpp#3040
Radar WebKit Bug Importer
Comment 3 2024-10-25 07:44:59 PDT
<rdar://problem/138634128>
Eric Lawrence (MSFT)
Comment 4 2024-10-30 10:52:09 PDT
Chromium change landed for M132: https://chromiumdash.appspot.com/commit/a5e738f2321ce1a2f3cdb34fa70dc76b84af9824
Eric Lawrence (MSFT)
Comment 5 2024-11-08 07:42:59 PST
As of November 5, 2024, the Fetch standard has been updated to require skipping localhost. https://fetch.spec.whatwg.org/#main-fetch
Note You need to log in before you can comment on or make changes to this bug.