Open
Bug 1494664
Opened 6 years ago
Updated 2 years ago
Add a HSTS carve out for preventing upgrading urls
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: jkt, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
For the captive portal code to work we load a HTTP url to http://detectportal.firefox.com/success.txt and check if it has been tampered with.
However if firefox.com was on the preload list this would not detect HTTP tampering.
It appears we load the URL in two places:
- As a login page: https://searchfox.org/mozilla-central/rev/ce57be88b8aa2ad03ace1b9684cd6c361be5109f/browser/base/content/browser-captivePortal.js#254
- As a check to the tampering: https://searchfox.org/mozilla-central/rev/ce57be88b8aa2ad03ace1b9684cd6c361be5109f/toolkit/components/captivedetect/captivedetect.js#25
I propose we implement a flag LOAD_BYPASS_HSTS alternatively we could check the URL passed into the LoadInfo and bypass the checks here: https://searchfox.org/mozilla-central/rev/ce57be88b8aa2ad03ace1b9684cd6c361be5109f/netwerk/base/LoadInfo.cpp#199
However we implement this, the tab will have to prevent upgrading of all loads for that document.
|
Reporter | |
Comment 1•6 years ago
|
||
Assigning to myself as I think we should get this out of the way quickly.
Assignee: nobody → jkt
Status: NEW → ASSIGNED
|
||
Updated•6 years ago
|
Whiteboard: [domsecurity-active]
|
||
Comment 2•3 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months.
:ckerschb, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: jonathan → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(ckerschb)
|
|
||
Updated•3 years ago
|
Flags: needinfo?(ckerschb)
Priority: P2 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•