HSTS is not working for custom ports as per RFC - https://www.rfc-editor.org/rfc/rfc6797
Categories
(Core :: Security: PSM, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox116 | --- | fixed |
People
(Reporter: bhawanabhumca06, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-backlog])
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Steps to reproduce:
I am accessing a website https://host1:8443 which returns HSTS header.
Actual results:
When I change URL to http://host1:8080 it's not redirected to https://host1:8080.
Though when I change url http://host1:8443 it's redirected to https://host1:8443.
Also observed in file SiteSecurityServiceState.txt, below HSTS entry :
host1^partitionKey=%28http%2Chost1%2C8443%29:HSTS 0 19376 1705643400824,1,1
It seems HSTS is applied for whole host and ip (host1:8443), that is why http://host1:8443 is changed to https://host1:8443
Expected results:
As per rfc, http://host1:8080 should redirected to https://host1:8080.
Reference :
The UA MUST replace the URI scheme with "https" [RFC2818], and
if the URI contains an explicit port component of "80", then
the UA MUST convert the port component to be "443", or
if the URI contains an explicit port component that is not
equal to "80", the port component value MUST be preserved;
otherwise,
if the URI does not contain an explicit port component, the UA
MUST NOT add one.
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking: HTTP' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
|
||
(In reply to bhawanabhumca06 from comment #0)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Steps to reproduce:
I am accessing a website https://host1:8443 which returns HSTS header.
Actual results:
When I change URL to http://host1:8080 it's not redirected to https://host1:8080.
Though when I change url http://host1:8443 it's redirected to https://host1:8443.Also observed in file SiteSecurityServiceState.txt, below HSTS entry :
host1^partitionKey=%28http%2Chost1%2C8443%29:HSTS 0 19376 1705643400824,1,1
It seems we should not isolate the HSTS entry by the port.
This is implemented in security/manager/ssl/nsSiteSecurityService.cpp, so I'll change the component to security:psm.
| Comment hidden (advocacy) |
| Comment hidden (advocacy) |
|
Assignee | |
Comment 5•2 years ago
|
||
Please stop asking for updates. You reported this less than a week ago. You will see progress in this bug as we make progress on fixing it.
|
|
||
Comment 6•2 years ago
|
||
The severity field is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•1 years ago
|
||
According to the HSTS RFC (6797), if a host is noted as HSTS, then HSTS applies
for that host regardless of port. Before this patch, the HSTS implementation
failed to take into account origin attributes with partition keys with a scheme
and port. This patch addresses this shortcoming by eliding them when storing
and comparing HSTS entries. It also takes the opportunity to remove a
now-unnecessary key suffix that differentiated types of data stored by the
implementation (because only HSTS information is stored now, this suffix is
unnecessary).
|
||
Updated•1 years ago
|
|
||
Comment 9•1 years ago
|
||
| bugherder | ||
Description
•