Closed
Bug 836898
Opened 12 years ago
Closed 12 years ago
Update STS preload list
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 844527
People
(Reporter: evilpie, Assigned: evilpie)
References
Details
Attachments
(2 files, 1 obsolete file)
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
Some websites changed. We should probably do this for every release?
|
Assignee | |
Comment 1•12 years ago
|
||
Also we need to cordinate with Persona/browserid. (https://github.com/mozilla/browserid/issues/2903) They are rolling out a changed on feb 13th.
So, there's bug 836097 on file for getting this done automatically. If we're getting near(er) the merge date and we're not done with that, we can do it by hand.
|
|
Assignee | |
Comment 3•12 years ago
|
||
We are getting close! I also wrote a patch that changes the update script, so that we don't abort if we are redirecting to an uri that is also on the STS list.
|
|
Assignee | |
Comment 4•12 years ago
|
||
Last week we discussed that change. Basically we could always allow redirects, because we still check for the STS header. I still think we should only do it for pages, which were explicitly put onto the list.
Assignee: nobody → evilpies
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•12 years ago
|
||
Updated list after applying the previous patch. We still don't have persona.org, login.persona.org nor browserid!
|
|
Assignee | |
Updated•12 years ago
|
Attachment #715498 -
Flags: review?(dkeeler)
|
|
Assignee | |
Updated•12 years ago
|
Attachment #715499 -
Flags: review?(dkeeler)
Comment on attachment 715498 [details] [diff] [review] Allow redirects to pages on the STS list Review of attachment 715498 [details] [diff] [review]: ----------------------------------------------------------------- I think we would need the changes to getHSTSPreloadList.js in this patch. Also, I maintain my skepticism that putting foo.com on the list when we get [foo.com 301 redirect without sts header] -> [www.foo.com with sts header] is the right thing to do (that's the goal here, right?). Certainly, putting www.foo.com on the list would be reasonable, but since foo.com has told us nothing of its HSTS state, if we're going to follow the spec, we can't consider it an HSTS host. Also also, this should be a separate bug.
Attachment #715498 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 7•12 years ago
|
||
I am fine with not making the change here. This is the updated list with the old script.
Attachment #715499 -
Attachment is obsolete: true
Attachment #715499 -
Flags: review?(dkeeler)
Attachment #717334 -
Flags: review?(dkeeler)
Comment on attachment 717334 [details] [diff] [review] just the update Review of attachment 717334 [details] [diff] [review]: ----------------------------------------------------------------- I think the patch in bug 844527 will supersede this one, so I'm clearing the review for now.
Attachment #717334 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 9•12 years ago
|
||
I guess we can just dupe this now.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•