author Kate McKinley <kmckinley@mozilla.com>
Tue, 27 Sep 2016 11:27:00 -0400
changeset 315476 380eebfd9d8928b656236d08e535fe528258e947
parent 313660 a22abb02c078b9a5b2c2aa98f8cb9e513c90dd2e
child 319428 db39947f538ad225040e2a2ca402cf74fab3f0e9
permissions -rw-r--r--
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally HSTS priming changes the order of mixed-content blocking and HSTS upgrades, and adds a priming request to check if a mixed-content load is accesible over HTTPS and the server supports upgrading via the Strict-Transport-Security header. Every call site that uses AsyncOpen2 passes through the mixed-content blocker, and has a LoadInfo. If the mixed-content blocker marks the load as needing HSTS priming, nsHttpChannel will build and send an HSTS priming request on the same URI with the scheme upgraded to HTTPS. If the server allows the upgrade, then channel performs an internal redirect to the HTTPS URI, otherwise use the result of mixed-content blocker to allow or block the load. nsISiteSecurityService adds an optional boolean out parameter to determine if the HSTS state is already cached for negative assertions. If the host has been probed within the previous 24 hours, no HSTS priming check will be sent. MozReview-Commit-ID: ES1JruCtDdX

  type: testharness
  prefs: [security.mixed_content.send_hsts_priming:false,
  [opt_in_method: no-opt-in\n                                 origin: cross-origin-http\n                                 source_scheme: https\n                                 context_nesting: top-level\n                                 redirection: no-redirect\n                                 subresource: link-prefetch-tag\n                                 expectation: allowed]
    expected: FAIL
    bug: haven't implement prefetch link as an optionally blockable item