Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upImplement HSTS fetch step #14716
Implement HSTS fetch step #14716
Conversation
highfive
commented
Dec 24, 2016
|
Heads up! This PR modifies the following files:
|
|
Travis failure |
|
That's #14723 . |
|
|
|
I have addressed conflicts. @emilio did you get a chance to review the changes? |
|
I think @jdm or @Ms2ger are more suited to review this than me. There should probably be a WPT test or similar for this. @bors-servo try |
Implement HSTS fetch step Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case. This should fix #14363 <!-- Please describe your changes on the following line: --> --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14363 <!-- Either: --> - [X] There are tests for these changes <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/14716) <!-- Reviewable:end -->
|
|
|
Is the test failure due to network issue? |
|
Seems like the failures may be legit? We can retry to verify it. Other option would be that that check makes stuff immensely slower, in which case we'd need a faster data-structure for HstsList. |
| @@ -189,7 +189,15 @@ pub fn main_fetch(request: Rc<Request>, | |||
| } | |||
|
|
|||
| // Step 9 | |||
| // TODO this step (HSTS) | |||
| if request.current_url().scheme() == "http" && request.current_url().domain() != None { | |||
This comment has been minimized.
This comment has been minimized.
|
@bors-servo retry |
Implement HSTS fetch step Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case. This should fix #14363 <!-- Please describe your changes on the following line: --> --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14363 <!-- Either: --> - [X] There are tests for these changes <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/14716) <!-- Reviewable:end -->
|
IMO the hsts list seems pretty big to use a vec as a backing store, but maybe other people have different opinions. |
|
Thanks, @emilio, Maybe I could refactor |
|
|
|
Tests seem green, so it's likely to have been another kind of error. I've opened #14756 to change the underlying storage of the HSTS list. I think it's worth to land that refactoring separately as a followup. |
|
Great work! |
| @@ -0,0 +1,22 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
This comment has been minimized.
This comment has been minimized.
jdm
Dec 28, 2016
Member
This file should be called self_signed_certificate_for_testing.crt to make its purpose clear ;)
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
This comment has been minimized.
This comment has been minimized.
| list.push(HstsEntry::new("localhost".to_owned(), IncludeSubdomains::NotIncluded, None) | ||
| .unwrap()); | ||
| } | ||
| let do_fetch = |url: ServoUrl| { |
This comment has been minimized.
This comment has been minimized.
jdm
Dec 28, 2016
Member
I don't think having this closure makes the test any more readable, so let's remove it.
| fn test_fetch_with_hsts() { | ||
| static MESSAGE: &'static [u8] = b""; | ||
| let handler = move |_: HyperRequest, response: HyperResponse| { | ||
| response.send(MESSAGE).unwrap(); |
This comment has been minimized.
This comment has been minimized.
jdm
Dec 28, 2016
Member
Let's have the response contain the scheme of the request's URL instead. This will let us verify that the server never receives a non-HTTPS connection.
This comment has been minimized.
This comment has been minimized.
nmvk
Dec 29, 2016
Author
Contributor
If I correctly understand, you want request.url.scheme() to be sent as part of response body?. Here we use hyper::server::request::Request which does not capture information about request scheme. If we make a non-HTTPS connection to the server, then we get response error saying "Connection reset"
This comment has been minimized.
This comment has been minimized.
Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case.
|
@bors-servo: r+ |
|
|
|
|
Implement HSTS fetch step Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and current URL's host is domain and if current URL's host matched with Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match then we change request scheme to 'https'. This change has been made in method.rs A test case to validate this has been added in fetch.rs. For asserting https scheme, a https localhost was required. For this purpose I have created a self-signed certificate and refactored fetch-context and connector.rs to programmatically trust this certificate for running this test case. This should fix #14363 <!-- Please describe your changes on the following line: --> --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #14363 <!-- Either: --> - [X] There are tests for these changes <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/14716) <!-- Reviewable:end -->
|
|
nmvk commentedDec 24, 2016
•
edited
Implemented step nine of the main fetch. If current URL scheme is 'HTTP' and
current URL's host is domain and if current URL's host matched with Known
HSTS Host Domain Name Matching results in either a superdomain match with
an asserted includeSubDomains directive or a congruent match then we
change request scheme to 'https'. This change has been made in method.rs
A test case to validate this has been added in fetch.rs. For asserting
https scheme, a https localhost was required. For this purpose I have
created a self-signed certificate and refactored fetch-context and
connector.rs to programmatically trust this certificate for running this
test case.
This should fix #14363
./mach build -ddoes not report any errors./mach test-tidydoes not report any errorsThis change is