Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement HSTS #6105

Closed
kmcallister opened this issue May 17, 2015 · 5 comments
Closed

Implement HSTS #6105

kmcallister opened this issue May 17, 2015 · 5 comments

Comments

@kmcallister
Copy link
Contributor

@kmcallister kmcallister commented May 17, 2015

HTTP Strict Transport Security.

For now we may not want Servo to persist any state to disk. In that case we can support just HSTS preloads and not the Strict-Transport-Security header.

@jdm
Copy link
Member

@jdm jdm commented May 18, 2015

@kmcallister This is going to need further elaboration if the easy tag is going to be reinstated.

@kmcallister
Copy link
Contributor Author

@kmcallister kmcallister commented May 18, 2015

I linked to the MDN document that explains the whole feature. If we're only doing preloads then we just need to get that file from Google and bake it into Servo.

@kmcallister kmcallister added the E-easy label May 18, 2015
@jdm jdm added E-less easy and removed E-easy labels May 18, 2015
@jdm
Copy link
Member

@jdm jdm commented May 18, 2015

This will require adding additional Servo initialization code (like the hostfile processing) and checks in the HTTP loader. I think we should support an in-memory list of any domains for which we have seen a Strict-Transport-Security header, too.
Code: components/net/resource_task.rs, components/net/http_loader.rs

@samfoo
Copy link
Contributor

@samfoo samfoo commented Jun 3, 2015

I'm keen to give this a go as a first task. It seems like doing only preloads first should be fairly straightforward. Finding a suitable preload list doesn't not appear to be as straightforward.

Chromium packages theirs with the build, as does gecko.

EDIT:

Ahh, it appears that the gecko build actually downloads and parses the Chromium file rather than duplicate effort.

I don't see why servo couldn't do the same, but I'm not familiar with the servo build. A point in the right direction for where that might make sense would be helpful.

@jdm
Copy link
Member

@jdm jdm commented Jun 3, 2015

We could add a mach command to fetch the latest version. That would live somewhere in http://mxr.mozilla.org/servo/source/python/servo/; it's not clear to me which of those files makes the most sense, but the bootstrap_commands.py has a bunch of "download this file" logic.

samfoo added a commit to samfoo/servo that referenced this issue Jun 20, 2015
This resolves the first part of servo#6105. The remaining part is
to update the list based on the STS headers from the server.
samfoo added a commit to samfoo/servo that referenced this issue Jun 22, 2015
This prepares the resource task to update the HSTS list when it sees STS
headers. This will allow full HSTS support for servo#6105 when the
resource task implements the header checking
samfoo added a commit to samfoo/servo that referenced this issue Jun 23, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do
not allow IPv4 or IPv6 addresses as host entries into the HSTS list.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jun 23, 2015
samfoo added a commit to samfoo/servo that referenced this issue Jun 23, 2015
Refactors API for pushing new entries on, and adds a max age. This does
not add a check for the max-age, or remove old entries from the list.
Instead this just adds the data-field.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
This resolves the first part of servo#6105. The remaining part is
to update the list based on the STS headers from the server.
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
This prepares the resource task to update the HSTS list when it sees STS
headers. This will allow full HSTS support for servo#6105 when the
resource task implements the header checking
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do
not allow IPv4 or IPv6 addresses as host entries into the HSTS list.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
Refactors API for pushing new entries on, and adds a max age. This does
not add a check for the max-age, or remove old entries from the list.
Instead this just adds the data-field.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jun 25, 2015
samfoo added a commit to samfoo/servo that referenced this issue Jun 26, 2015
This resolves the first part of servo#6105. The remaining part is
to update the list based on the STS headers from the server.
samfoo added a commit to samfoo/servo that referenced this issue Jun 26, 2015
This prepares the resource task to update the HSTS list when it sees STS
headers. This will allow full HSTS support for servo#6105 when the
resource task implements the header checking
samfoo added a commit to samfoo/servo that referenced this issue Jun 26, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do
not allow IPv4 or IPv6 addresses as host entries into the HSTS list.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jul 19, 2015
bors-servo pushed a commit that referenced this issue Jul 20, 2015
Implement HSTS (preload-only)

Implement HSTS (preload-only) #6105

* Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo.
* Reads the preload list when creating a resource task, and implements STS for those domains.

Still todo:

* Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header.
* Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?)

<!-- Reviewable:start -->
[<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6490)
<!-- Reviewable:end -->
samfoo added a commit to samfoo/servo that referenced this issue Jul 21, 2015
This resolves the first part of servo#6105. The remaining part is
to update the list based on the STS headers from the server.
samfoo added a commit to samfoo/servo that referenced this issue Jul 21, 2015
This prepares the resource task to update the HSTS list when it sees STS
headers. This will allow full HSTS support for servo#6105 when the
resource task implements the header checking
samfoo added a commit to samfoo/servo that referenced this issue Jul 21, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do
not allow IPv4 or IPv6 addresses as host entries into the HSTS list.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jul 21, 2015
samfoo added a commit to samfoo/servo that referenced this issue Jul 21, 2015
Refactors API for pushing new entries on, and adds a max age. This does
not add a check for the max-age, or remove old entries from the list.
Instead this just adds the data-field.

servo#6105
samfoo added a commit to samfoo/servo that referenced this issue Jul 21, 2015
bors-servo pushed a commit that referenced this issue Jul 22, 2015
Implement HSTS (preload-only)

Implement HSTS (preload-only) #6105

* Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo.
* Reads the preload list when creating a resource task, and implements STS for those domains.

Still todo:

* Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header.
* Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?)

<!-- Reviewable:start -->
[<img src="https://reviewable.io/review_button.png" height=40 alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/6490)
<!-- Reviewable:end -->
aweinstock314 added a commit to aweinstock314/servo that referenced this issue Jul 28, 2015
This resolves the first part of servo#6105. The remaining part is
to update the list based on the STS headers from the server.
aweinstock314 added a commit to aweinstock314/servo that referenced this issue Jul 28, 2015
This prepares the resource task to update the HSTS list when it sees STS
headers. This will allow full HSTS support for servo#6105 when the
resource task implements the header checking
aweinstock314 added a commit to aweinstock314/servo that referenced this issue Jul 28, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do
not allow IPv4 or IPv6 addresses as host entries into the HSTS list.

servo#6105
aweinstock314 added a commit to aweinstock314/servo that referenced this issue Jul 28, 2015
aweinstock314 added a commit to aweinstock314/servo that referenced this issue Jul 28, 2015
Refactors API for pushing new entries on, and adds a max age. This does
not add a check for the max-age, or remove old entries from the list.
Instead this just adds the data-field.

servo#6105
aweinstock314 added a commit to aweinstock314/servo that referenced this issue Jul 28, 2015
@jdm jdm closed this Aug 26, 2015
josiahdaniels added a commit to josiahdaniels/servo that referenced this issue Sep 28, 2015
This resolves the first part of servo#6105. The remaining part is
to update the list based on the STS headers from the server.
josiahdaniels added a commit to josiahdaniels/servo that referenced this issue Sep 28, 2015
This prepares the resource task to update the HSTS list when it sees STS
headers. This will allow full HSTS support for servo#6105 when the
resource task implements the header checking
josiahdaniels added a commit to josiahdaniels/servo that referenced this issue Sep 28, 2015
As per [rfc6797](https://tools.ietf.org/html/rfc6797#section-8.1.1), do
not allow IPv4 or IPv6 addresses as host entries into the HSTS list.

servo#6105
josiahdaniels added a commit to josiahdaniels/servo that referenced this issue Sep 28, 2015
josiahdaniels added a commit to josiahdaniels/servo that referenced this issue Sep 28, 2015
Refactors API for pushing new entries on, and adds a max age. This does
not add a check for the max-age, or remove old entries from the list.
Instead this just adds the data-field.

servo#6105
josiahdaniels added a commit to josiahdaniels/servo that referenced this issue Sep 28, 2015
jrmuizel pushed a commit to jrmuizel/gecko-cinnabar that referenced this issue Jun 12, 2017
…preload); r=jdm

Implement HSTS (preload-only) servo/servo#6105

* Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo.
* Reads the preload list when creating a resource task, and implements STS for those domains.

Still todo:

* Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header.
* Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?)

Source-Repo: https://github.com/servo/servo
Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this issue Sep 30, 2019
…preload); r=jdm

Implement HSTS (preload-only) servo/servo#6105

* Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo.
* Reads the preload list when creating a resource task, and implements STS for those domains.

Still todo:

* Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header.
* Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?)

Source-Repo: https://github.com/servo/servo
Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0

UltraBlame original commit: 663d48546f77cdce4c5ac5b30b2d15979a481773
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this issue Oct 1, 2019
…preload); r=jdm

Implement HSTS (preload-only) servo/servo#6105

* Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo.
* Reads the preload list when creating a resource task, and implements STS for those domains.

Still todo:

* Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header.
* Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?)

Source-Repo: https://github.com/servo/servo
Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0

UltraBlame original commit: 663d48546f77cdce4c5ac5b30b2d15979a481773
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this issue Oct 1, 2019
…preload); r=jdm

Implement HSTS (preload-only) servo/servo#6105

* Downloads the HSTS preload list from the chromium repo (same as gecko), then convert it to a list appropriate for servo.
* Reads the preload list when creating a resource task, and implements STS for those domains.

Still todo:

* Read Strict-Transport-Security headers from servers and add details to the in-memory HSTS list. (note: this requires hyper or servo to implement an STS header struct. Hyper seems like the appropriate location, so I will create an issue/PR there soon). The work for this is nearly done with the exception of adding a new ControlMsg and the new header.
* Persist HSTS list to disk with known hosts (perhaps a different issue should be raised for this?)

Source-Repo: https://github.com/servo/servo
Source-Revision: ab3d6c472d409c1602c873dcdcb495a7fec9d4b0

UltraBlame original commit: 663d48546f77cdce4c5ac5b30b2d15979a481773
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.