It seems like the handling of HSTS is incorrect in Firefox on Linux Mint
per RFC6797 11.4.1,
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
and when compared to Google Chrome. I don't have the includeSubDomains
flag set in the Strict-Transport-Security HTTP header, but Firefox
upgrades the connection when I connect to the server on TCP 443 (Nginx)
or TCP 8080 (Jenkins). The header is only set when connecting on TCP
443, so it should only be upgraded on TCP 443 unless I have the
includeSubDomains flag set in the Strict-Transport-Security HTTP header
and I don't.
I tested the behavior on Firefox 40.0.3 and Firefox 41.0 for Linux Mint
and it incorrect, but the same versions for Windows 7 x64 work correctly.
I reported <https://bugs.launchpad.net/linuxmint/+bug/1494781> it to
Linux Mint. It doesn't appear to happen in the upstream Ubuntu.
I'm injecting the header via Nginx with the following configuration.
add_header Strict-Transport-Security "max-age=63072000; preload";
add_header Public-Key-Pins "pin-sha256=\"[% ca_sha256_base64 %]\";
max-age=2592000\"";
Can someone help me verify the issue?
Thanks,
Arthur
This e-mail and any attachments may contain CONFIDENTIAL information, including
PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or
disclosure of this information is STRICTLY PROHIBITED; you are requested to
delete this e-mail and any attachments, notify the sender immediately, and
notify the Mediture Privacy Officer at privacyoffi...@mediture.com.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
