Servo should only support HTTPS connections, zero without "S" #20120
Labels
Comments
Revocation is broken. Firefox for Android only fetches OCSP for EV certs (if there was no stapled OCSP response). |
|
I don't think cutting off access to non-HTTPS is feasible yet, given the huge volume of unsecured legacy web content. |
Closed
bors-servo
pushed a commit
that referenced
this issue
Jan 8, 2020
Fix HSTS The headers crate does not [expose](https://github.com/hyperium/headers/blob/0c42ad8cf56f9af28973c3da71616fa478781fdf/src/common/strict_transport_security.rs#L42) HSTS struct fields. At the moment, it's only usable for HSTS header encoding. An update of the headers crate would require a huge update of http, hyper, hyper_serde, net::decoder as well. Therefore I've copied the `typed_get::<StrictTransportSecurity>` decoding feature for now, but with exposed struct fields. Let's remove this custom struct with the next hyper upgrade. I tried to prevent needless HSTS database lookups when network.enforce_tls.enabled is set. --- - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #14363, fix #20120. - [x] There are tests for these changes
bors-servo
pushed a commit
that referenced
this issue
Jan 8, 2020
Fix HSTS The headers crate does not [expose](https://github.com/hyperium/headers/blob/0c42ad8cf56f9af28973c3da71616fa478781fdf/src/common/strict_transport_security.rs#L42) HSTS struct fields. At the moment, it's only usable for HSTS header encoding. An update of the headers crate would require a huge update of http, hyper, hyper_serde, net::decoder as well. Therefore I've copied the `typed_get::<StrictTransportSecurity>` decoding feature for now, but with exposed struct fields. Let's remove this custom struct with the next hyper upgrade. I tried to prevent needless HSTS database lookups when network.enforce_tls.enabled is set. --- - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #14363, fix #20120. - [x] There are tests for these changes
bors-servo
pushed a commit
that referenced
this issue
Jan 8, 2020
Fix HSTS The headers crate does not [expose](https://github.com/hyperium/headers/blob/0c42ad8cf56f9af28973c3da71616fa478781fdf/src/common/strict_transport_security.rs#L42) HSTS struct fields. At the moment, it's only usable for HSTS header encoding. An update of the headers crate would require a huge update of http, hyper, hyper_serde, net::decoder as well. Therefore I've copied the `typed_get::<StrictTransportSecurity>` decoding feature for now, but with exposed struct fields. Let's remove this custom struct with the next hyper upgrade. I tried to prevent needless HSTS database lookups when network.enforce_tls.enabled is set. --- - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #14363, fix #20120. - [x] There are tests for these changes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Hello,
first, this looks like a great future project, next-gen webbrowser, wow.
Second, I think it should only support HTTPS connections and not plain HTTP.
If it points to the future.
only problem: OCSP uses plain HTTP: https://moxie.org/papers/ocsp-attack.pdf
The text was updated successfully, but these errors were encountered: