Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect to HTTPS, or lock CORS to HTTPS only #19

Closed
konklone opened this issue May 18, 2015 · 2 comments
Closed

Redirect to HTTPS, or lock CORS to HTTPS only #19

konklone opened this issue May 18, 2015 · 2 comments
Labels
declined enhancement

Comments

@konklone
Copy link

A full forced redirect to HTTPS should have no negative impact on browsers accessing code.jquery.com through a <script> tag. An HSTS header would further protect visitors to sites that embed an insecure code.jquery.com link.

Alternatively, I can see that CORS has just recently been enabled for resources on code.jquery.com. Safari does break on attempts to redirect CORS URLs from HTTP to HTTPS, even if both endpoints have CORS headers enabled.

Before the jQuery CDN develops much of a user base for its CORS support, the most immediate helpful thing to avoid making it difficult for the CDN to force a redirect in the future would be to only provide CORS support for HTTPS requests. This would at least prevent the situation from deterioriating while the jQuery CDN evaluates a full switch to HTTPS and HSTS.
@Krinkle
Copy link
Member

Krinkle commented Mar 7, 2021

We choose not to perform forceful redirects from HTTP for back-compatibility. As a widely used CDN, these can cause issues for some users where HTTPS is not an option, where it is intentionally not used, or where redirects may cause failures.

We have seen more than once in large projects that while in theory all HTTP clients should be able to follow redirects, there are plenty of proxies and crawler scripts that will naively download a URL and use the response. I've more than once found that a deployment pipeline, build script, or production workload stopped working because a URL became redirect. At this point, it does not seem to benefit anyone if we deny HTTP serving and/or force redirects.

We have been promoting use of SRI hashes in <script> tags for many years, which can be seen by clicking on any resource at https://code.jquery.com/ (uses JavaScript). In supported browsers, when using SRI, it thus is already validated that the expected content is served and cannot be modified or otherwise hijacked.

See also https://jcs.org/2021/01/06/plaintext for background on HTTP access.

However, enabling HSTS and adding ourselves to the preload list makes perfect sense. This will be worked on at #63.

@Krinkle Krinkle closed this as completed Mar 7, 2021
@mgol
Copy link
Member

mgol commented Mar 7, 2021

@Krinkle a redirect to HTTPS is one of prerequisites of adding a domain to the HSTS preload list as documented at https://hstspreload.org/. So it looks like we can enable HSTS but it will never be preloaded?

@mgol mgol mentioned this issue Mar 8, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
declined enhancement
Milestone
No milestone
Development

No branches or pull requests
3 participants
@konklone @Krinkle @mgol