RESOLVED FIXED 290204
[SOUP] HSTS redirection is not updating new URL in UI / window.location.href 
https://bugs.webkit.org/show_bug.cgi?id=290204
Summary [SOUP] HSTS redirection is not updating new URL in UI / window.location.href
Max Schmitt
Reported 2025-03-21 12:50:05 PDT
Looks like https://bugs.webkit.org/show_bug.cgi?id=255218 broke HSTS with redirects from the UI perspective. Not sure if it broke when merging or during the last 2 years. With my repro (https://github.com/microsoft/playwright/issues/35293#issuecomment-2741690676) I was able to reproduce it in Epiphany 46. How does it surface? - Its only about HSTS during a redirection - The URL the browser is surfacing (window.location AND URL bar) is still HTTP - There is certificate information shown in the browser UI - The actual content which is fetched is HTTPS (post-HSTS) - When reverting the change in https://github.com/WebKit/WebKit/pull/12566 it seems to work as expected. - See the screenshot how it ends up: https://github.com/user-attachments/assets/5cb18f31-e071-4ac1-bd99-38970b3022e3 General notes about HSTS while debugging: - Doesn't work on localhost - Doesn't work with self-signed TLS certificate Downstream issue: https://github.com/microsoft/playwright/issues/35293
Attachments
Add attachment proposed patch, testcase, etc.
Max Schmitt
Comment 1 2025-04-10 04:40:37 PDT
I made a public repro: 1. Go to https://webkit.love/ 2. Click on the link Expected: URL bar & window.location.href has HTTPS Actual: URL bar & window.location.href has HTTP Note: When navigating to the https:// site it sets the HSTS header, a redirect to http should then immediately get redirected to https://. This works in Safari, Chromium and Firefox.
Patrick Griffis
Comment 2 2025-04-15 10:20:43 PDT
Pull request: https://github.com/WebKit/WebKit/pull/44099
EWS
Comment 3 2025-04-21 13:34:24 PDT
Committed 293933@main (577c1fd295e8): <https://commits.webkit.org/293933@main> Reviewed commits have been landed. Closing PR #44099 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.