Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upImplement HSTS #6105
Closed
Implement HSTS #6105
Labels
Comments
|
@kmcallister This is going to need further elaboration if the easy tag is going to be reinstated. |
|
I linked to the MDN document that explains the whole feature. If we're only doing preloads then we just need to get that file from Google and bake it into Servo. |
|
This will require adding additional Servo initialization code (like the hostfile processing) and checks in the HTTP loader. I think we should support an in-memory list of any domains for which we have seen a Strict-Transport-Security header, too. |
|
I'm keen to give this a go as a first task. It seems like doing only preloads first should be fairly straightforward. Finding a suitable preload list doesn't not appear to be as straightforward. Chromium packages theirs with the build, as does gecko. EDIT: Ahh, it appears that the gecko build actually downloads and parses the Chromium file rather than duplicate effort. I don't see why servo couldn't do the same, but I'm not familiar with the servo build. A point in the right direction for where that might make sense would be helpful. |
|
We could add a mach command to fetch the latest version. That would live somewhere in http://mxr.mozilla.org/servo/source/python/servo/; it's not clear to me which of those files makes the most sense, but the bootstrap_commands.py has a bunch of "download this file" logic. |
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 20, 2015
This resolves the first part of servo#6105. The remaining part is to update the list based on the STS headers from the server.
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 22, 2015
This prepares the resource task to update the HSTS list when it sees STS headers. This will allow full HSTS support for servo#6105 when the resource task implements the header checking
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 23, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo#6105
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 23, 2015
Refactors API for pushing new entries on, and adds a max age. This does not add a check for the max-age, or remove old entries from the list. Instead this just adds the data-field. servo#6105
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 25, 2015
This resolves the first part of servo#6105. The remaining part is to update the list based on the STS headers from the server.
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 25, 2015
This prepares the resource task to update the HSTS list when it sees STS headers. This will allow full HSTS support for servo#6105 when the resource task implements the header checking
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 25, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo#6105
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 25, 2015
Refactors API for pushing new entries on, and adds a max age. This does not add a check for the max-age, or remove old entries from the list. Instead this just adds the data-field. servo#6105
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 26, 2015
This resolves the first part of servo#6105. The remaining part is to update the list based on the STS headers from the server.
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 26, 2015
This prepares the resource task to update the HSTS list when it sees STS headers. This will allow full HSTS support for servo#6105 when the resource task implements the header checking
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jun 26, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo#6105
bors-servo
pushed a commit
that referenced
this issue
Jul 20, 2015
Implement HSTS (preload-only) Implement HSTS (preload-only) #6105 * Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo. * Reads the preload list when creating a resource task, and implements STS for those domains. Still todo: * Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header. * Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?) <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6490) <!-- Reviewable:end -->
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jul 21, 2015
This resolves the first part of servo#6105. The remaining part is to update the list based on the STS headers from the server.
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jul 21, 2015
This prepares the resource task to update the HSTS list when it sees STS headers. This will allow full HSTS support for servo#6105 when the resource task implements the header checking
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jul 21, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo#6105
samfoo
added a commit
to samfoo/servo
that referenced
this issue
Jul 21, 2015
Refactors API for pushing new entries on, and adds a max age. This does not add a check for the max-age, or remove old entries from the list. Instead this just adds the data-field. servo#6105
bors-servo
pushed a commit
that referenced
this issue
Jul 22, 2015
Implement HSTS (preload-only) Implement HSTS (preload-only) #6105 * Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo. * Reads the preload list when creating a resource task, and implements STS for those domains. Still todo: * Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header. * Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?) <!-- Reviewable:start --> [<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6490) <!-- Reviewable:end -->
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
This resolves the first part of servo#6105. The remaining part is to update the list based on the STS headers from the server.
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
This prepares the resource task to update the HSTS list when it sees STS headers. This will allow full HSTS support for servo#6105 when the resource task implements the header checking
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo#6105
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
Refactors API for pushing new entries on, and adds a max age. This does not add a check for the max-age, or remove old entries from the list. Instead this just adds the data-field. servo#6105
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
aweinstock314
added a commit
to aweinstock314/servo
that referenced
this issue
Jul 28, 2015
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
This resolves the first part of servo#6105. The remaining part is to update the list based on the STS headers from the server.
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
This prepares the resource task to update the HSTS list when it sees STS headers. This will allow full HSTS support for servo#6105 when the resource task implements the header checking
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do not allow IPv4 or IPv6 addresses as host entries into the HSTS list. servo#6105
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
Refactors API for pushing new entries on, and adds a max age. This does not add a check for the max-age, or remove old entries from the list. Instead this just adds the data-field. servo#6105
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
josiahdaniels
added a commit
to josiahdaniels/servo
that referenced
this issue
Sep 28, 2015
jrmuizel
pushed a commit
to jrmuizel/gecko-cinnabar
that referenced
this issue
Jun 12, 2017
…preload); r=jdm Implement HSTS (preload-only) servo/servo#6105 * Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo. * Reads the preload list when creating a resource task, and implements STS for those domains. Still todo: * Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header. * Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?) Source-Repo: https://github.com/servo/servo Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
Sep 30, 2019
…preload); r=jdm Implement HSTS (preload-only) servo/servo#6105 * Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo. * Reads the preload list when creating a resource task, and implements STS for those domains. Still todo: * Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header. * Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?) Source-Repo: https://github.com/servo/servo Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0 UltraBlame original commit: 663d48546f77cdce4c5ac5b30b2d15979a481773
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
Oct 1, 2019
…preload); r=jdm Implement HSTS (preload-only) servo/servo#6105 * Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo. * Reads the preload list when creating a resource task, and implements STS for those domains. Still todo: * Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header. * Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?) Source-Repo: https://github.com/servo/servo Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0 UltraBlame original commit: 663d48546f77cdce4c5ac5b30b2d15979a481773
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
Oct 1, 2019
…preload); r=jdm Implement HSTS (preload-only) servo/servo#6105 * Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo. * Reads the preload list when creating a resource task, and implements STS for those domains. Still todo: * Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header. * Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?) Source-Repo: https://github.com/servo/servo Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0 UltraBlame original commit: 663d48546f77cdce4c5ac5b30b2d15979a481773
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HTTP Strict Transport Security.
For now we may not want Servo to persist any state to disk. In that case we can support just HSTS preloads and not the
Strict-Transport-Securityheader.