http://www.gstatic.com/generate_204 error and hsts

[Chris KD]

Hi team, 

             As per google_chrome_privacy, ''Chrome will make a cookieless request to http://www.gstatic.com/generate_204 and check the response code. If that request is redirected, Chrome will open the redirect target in a new tab on the assumption that it's a login page''.

However, as per https://www.chromium.org/hsts ---- ''An HSTS enabled server can include the following header in an HTTPS reply:

    Strict-Transport-Security: max-age=16070400; includeSubDomains

When the browser sees this, it will remember, for the given number of seconds, that the current domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the default. In fact, all requests for URLs in the current domain will be redirected to HTTPS.''

Question is, if there is a ''http://www.gstatic.com/generate_204''  URL generated by Chrome and if there is a cookie for an HTTPS site that i'm trying to access, would HSTS get triggered ?

Regards, 

Chris

[PhistucK]

I assume this specific request does not go through the HTTP Strict Transport Security handling. Have you tried?

This looks like the code for handling this feature -

https://cs.chromium.org/chromium/src/components/captive_portal/captive_portal_detector.cc?q=generate_204&sq=package:chromium&g=0&l=91

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.