RESOLVED FIXED 63097
bugs.webkit.org should use Strict-Transport-Security 
https://bugs.webkit.org/show_bug.cgi?id=63097
Summary bugs.webkit.org should use Strict-Transport-Security
Adam Barth
Reported 2011-06-21 15:18:41 PDT
bugs.webkit.org should use Strict-Transport-Security
Attachments
Patch (1.12 KB, patch)
2011-06-21 15:19 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-06-21 15:19:52 PDT
Created attachment 98062 [details] Patch
Adam Barth
Comment 2 2011-06-21 15:20:34 PDT
Comment on attachment 98062 [details] Patch My Apache is somewhat rusty, so patch is somewhat of a guess.
Eric Seidel (no email)
Comment 3 2011-06-21 15:25:02 PDT
SGTM.
Eric Seidel (no email)
Comment 4 2011-06-21 15:25:02 PDT
SGTM.
Chris Evans
Comment 5 2011-06-21 15:28:51 PDT
What about ;includeSubDomains (or however it is spelled) It defends against some additional faults in corner cases. Does this cover the attachment origins too? (e.g. https://bug-63097-attachments.webkit.org/)
Adam Barth
Comment 6 2011-06-21 15:40:51 PDT
> What about ;includeSubDomains (or however it is spelled) > It defends against some additional faults in corner cases. Looks like bugzilla only uses host cookies, so we probably don't need this. (It's not useful for integrity unless we can get all of webkit.org, which seems unlikely.) > Does this cover the attachment origins too? (e.g. https://bug-63097-attachments.webkit.org/) I believe so, but wms would know better than I.
WebKit Review Bot
Comment 7 2011-06-21 18:05:06 PDT
Comment on attachment 98062 [details] Patch Clearing flags on attachment: 98062 Committed r89399: <http://trac.webkit.org/changeset/89399>
WebKit Review Bot
Comment 8 2011-06-21 18:05:10 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.