Re: HSTS handling incorrect

Sun, 04 Oct 2015 06:14:20 -0700

It may be best to report it on bugzilla. That link should go to the right component: https://bugzilla.mozilla.org/enter_bug.cgi?assigned_to=nobody%40nss.bugs&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&component=Libraries&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&defined_groups=1&form_name=enter_bug&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=Linux&priority=--&product=NSS&rep_platform=x86_64 

On 2015-10-02 17:45, Arthur Ramsey wrote:

It seems like the handling of HSTS is incorrect in Firefox on Linux
Mint per RFC6797 11.4.1,
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
and when compared to Google Chrome.  I don't have the
includeSubDomains flag set in the Strict-Transport-Security HTTP
header, but Firefox upgrades the connection when I connect to the
server on TCP 443 (Nginx) or TCP 8080 (Jenkins).  The header is only
set when connecting on TCP 443, so it should only be upgraded on TCP
443 unless I have the includeSubDomains flag set in the
Strict-Transport-Security HTTP header and I don't.

I tested the behavior on Firefox 40.0.3 and Firefox 41.0 for Linux
Mint and it incorrect, but the same versions for Windows 7 x64 work
correctly.

I reported <https://bugs.launchpad.net/linuxmint/+bug/1494781> it to
Linux Mint.  It doesn't appear to happen in the upstream Ubuntu.

I'm injecting the header via Nginx with the following configuration.

add_header Strict-Transport-Security "max-age=63072000; preload";
add_header Public-Key-Pins "pin-sha256=\"[% ca_sha256_base64 %]\";
max-age=2592000\"";

Can someone help me verify the issue?

Thanks,
Arthur


This e-mail and any attachments may contain CONFIDENTIAL information,
including PROTECTED HEALTH INFORMATION. If you are not the intended
recipient, any use or disclosure of this information is STRICTLY
PROHIBITED; you are requested to delete this e-mail and any
attachments, notify the sender immediately, and notify the Mediture
Privacy Officer at privacyoffi...@mediture.com.


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to