Implement HSTS #14363

Ms2ger · 2016-11-24T13:52:30Z

No description provided.

frewsxcv · 2016-11-27T16:19:05Z

Relevant section:

https://fetch.spec.whatwg.org/#main-fetch

Part of step 9:

Matching request’s current url’s host per Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an asserted includeSubDomains directive) [HSTS]

frewsxcv · 2016-12-08T19:03:54Z

Related: #8580

Implement HSTS fetch step Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case. This should fix #14363  ---  - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14363  - [X] There are tests for these changes   --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/14716)

…r=jdm Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case. This should fix servo/servo#14363  ---  - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14363  - [X] There are tests for these changes  Source-Repo: https://github.com/servo/servo Source-Revision: c7991d596f7453d09c2b2a98eecce72f182a4e24

…r=jdm Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case. This should fix servo/servo#14363  ---  - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14363  - [X] There are tests for these changes  Source-Repo: https://github.com/servo/servo Source-Revision: c7991d596f7453d09c2b2a98eecce72f182a4e24 UltraBlame original commit: fb3cb6e8f720e2772efba1fae1ea4dc87b8e8a72

Darkspirit · 2019-12-24T18:26:15Z

Please reopen. This issue was filed for the regression caused by #14360 (comment):
It removed the function that added received HSTS headers to the internal HSTS database. Since then, only Preloaded entries are applied. The PR that closed this issue did not add it back.

Only these cases are tested:

upgrade http to https with a pre-defined HSTS database (Write a WPT test for STS headers #6921 was primarily about this)
ignore HSTS header received via http

Not tested:

HSTS header received via https is added to the internal database

Likely not tested:

ws:// is upgraded to wss://
HSTS header received via wss:// is added to the internal database

Originally I was just asking myself, if ws:// gets upgraded to wss:// by current code. It doesn't seem so.
https://fetch.spec.whatwg.org/#websocket-opening-handshake

This upgrades http to https:

servo/components/net/fetch/methods.rs

Lines 262 to 268 in 8002c6b

    
           // Step 10. 
        
           context 
        
               .state 
        
               .hsts_list 
        
               .read() 
        
               .unwrap() 
        
               .switch_known_hsts_host_domain_url_to_https(request.current_url_mut());

If websocket requests go through this function, ws to wss upgrades could be done here as well:

servo/components/net/hsts.rs

Lines 141 to 152 in f1dd31f

    
           /// Step 10 of https://fetch.spec.whatwg.org/#concept-main-fetch. 
        
           pub fn switch_known_hsts_host_domain_url_to_https(&self, url: &mut ServoUrl) { 
        
               if url.scheme() != "http" { 
        
                   return; 
        
               } 
        
               if url 
        
                   .domain() 
        
                   .map_or(false, |domain| self.is_host_secure(domain)) 
        
               { 
        
                   url.as_mut_url().set_scheme("https").unwrap(); 
        
               } 
        
           }

Otherwise, a call to switch_known_hsts_host_domain_url_to_https() could be added after this code:

servo/components/net/websocket_loader.rs

Lines 195 to 201 in 8002c6b

    
           let scheme = req_builder.url.scheme(); 
        
           let mut req_url = req_builder.url.clone(); 
        
           if scheme == "ws" { 
        
               req_url.as_mut_url().set_scheme("http").unwrap(); 
        
           } else if scheme == "wss" { 
        
               req_url.as_mut_url().set_scheme("https").unwrap(); 
        
           }

jdm · 2019-12-24T18:27:18Z

Thanks for checking!

Darkspirit · 2019-12-24T19:24:07Z

Along this, it would be good to add these prefs to switch_known_hsts_host_domain_url_to_https():

"network.enforce_https.enabled": false, with the following exceptions:
- "network.enforce_https.localhost": false, (incl. loopback IPs)
- "network.enforce_https.onion": false,

This would also address #20120. The same should be done for Firefox: bug 1335590

Darkspirit · 2019-12-25T01:51:15Z

@highfive assign me

highfive · 2019-12-25T01:51:18Z

Hey @Darkspirit! Thanks for your interest in working on this issue. It's now assigned to you!

Fix HSTS The headers crate does not [expose](https://github.com/hyperium/headers/blob/0c42ad8cf56f9af28973c3da71616fa478781fdf/src/common/strict_transport_security.rs#L42) HSTS struct fields. At the moment, it's only usable for HSTS header encoding. An update of the headers crate would require a huge update of http, hyper, hyper_serde, net::decoder as well. Therefore I've copied the `typed_get::<StrictTransportSecurity>` decoding feature for now, but with exposed struct fields. Let's remove this custom struct with the next hyper upgrade. I tried to prevent needless HSTS database lookups when network.enforce_tls.enabled is set. --- - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #14363. - [x] There are tests for these changes

Fix HSTS The headers crate does not [expose](https://github.com/hyperium/headers/blob/0c42ad8cf56f9af28973c3da71616fa478781fdf/src/common/strict_transport_security.rs#L42) HSTS struct fields. At the moment, it's only usable for HSTS header encoding. An update of the headers crate would require a huge update of http, hyper, hyper_serde, net::decoder as well. Therefore I've copied the `typed_get::<StrictTransportSecurity>` decoding feature for now, but with exposed struct fields. Let's remove this custom struct with the next hyper upgrade. I tried to prevent needless HSTS database lookups when network.enforce_tls.enabled is set. --- - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #14363, fix #20120. - [x] There are tests for these changes

Ms2ger added the A-network label Nov 24, 2016

Ms2ger mentioned this issue Nov 24, 2016

Remove the legacy networking stack. #14360

Merged

frewsxcv assigned frewsxcv and unassigned frewsxcv Dec 7, 2016

nmvk mentioned this issue Dec 25, 2016

Implement HSTS fetch step #14716

Merged

4 tasks

bors-servo closed this as completed in #14716 Dec 29, 2016

jdm reopened this Dec 24, 2019

highfive added the C-assigned There is someone working on resolving the issue label Dec 25, 2019

Darkspirit mentioned this issue Dec 30, 2019

Fix HSTS #25404

Merged

4 tasks

bors-servo closed this as completed in e201b16 Jan 8, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement HSTS #14363

Implement HSTS #14363

Ms2ger commented Nov 24, 2016

frewsxcv commented Nov 27, 2016

frewsxcv commented Dec 8, 2016

Darkspirit commented Dec 24, 2019 •

edited

jdm commented Dec 24, 2019

Darkspirit commented Dec 24, 2019 •

edited

Darkspirit commented Dec 25, 2019

highfive commented Dec 25, 2019

Implement HSTS #14363

Implement HSTS #14363

Comments

Ms2ger commented Nov 24, 2016

frewsxcv commented Nov 27, 2016

frewsxcv commented Dec 8, 2016

Darkspirit commented Dec 24, 2019 • edited

jdm commented Dec 24, 2019

Darkspirit commented Dec 24, 2019 • edited

Darkspirit commented Dec 25, 2019

highfive commented Dec 25, 2019

Darkspirit commented Dec 24, 2019 •

edited

Darkspirit commented Dec 24, 2019 •

edited