Bug 63097 - bugs.webkit.org should use Strict-Transport-Security
Summary: bugs.webkit.org should use Strict-Transport-Security
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Adam Barth
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-21 15:18 PDT by Adam Barth
Modified: 2011-06-21 18:05 PDT (History)
5 users (show)

See Also:

Attachments
Patch (1.12 KB, patch)
2011-06-21 15:19 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-06-21 15:18:41 PDT 
bugs.webkit.org should use Strict-Transport-Security
Comment 1 Adam Barth 2011-06-21 15:19:52 PDT 
Created attachment 98062 [details]
Patch
Comment 2 Adam Barth 2011-06-21 15:20:34 PDT 
Comment on attachment 98062 [details]
Patch

My Apache is somewhat rusty, so patch is somewhat of a guess.
Comment 3 Eric Seidel (no email) 2011-06-21 15:25:02 PDT 
SGTM.
Comment 4 Eric Seidel (no email) 2011-06-21 15:25:02 PDT 
SGTM.
Comment 5 Chris Evans 2011-06-21 15:28:51 PDT 
What about ;includeSubDomains (or however it is spelled)
It defends against some additional faults in corner cases.

Does this cover the attachment origins too? (e.g. https://bug-63097-attachments.webkit.org/)
Comment 6 Adam Barth 2011-06-21 15:40:51 PDT 
> What about ;includeSubDomains (or however it is spelled)
> It defends against some additional faults in corner cases.

Looks like bugzilla only uses host cookies, so we probably don't need this.  (It's not useful for integrity unless we can get all of webkit.org, which seems unlikely.)

> Does this cover the attachment origins too? (e.g. https://bug-63097-attachments.webkit.org/)

I believe so, but wms would know better than I.
Comment 7 WebKit Review Bot 2011-06-21 18:05:06 PDT 
Comment on attachment 98062 [details]
Patch

Clearing flags on attachment: 98062

Committed r89399: <http://trac.webkit.org/changeset/89399>
Comment 8 WebKit Review Bot 2011-06-21 18:05:10 PDT 
All reviewed patches have been landed.  Closing bug.