Strict-Transport-Security response headers can cause problems for localhost web servers because STS applies host-wide, across all ports. This causes compatibility problems for web developers testing locally as well as end-users who use software packages that commonly spin up localhost webservers for ephemeral reasons (e.g. communication of an auth token from a web login to a local software package). If one local listener sets Strict-Transport-Security on a localhost response, it will be applied to all subsequent localhost requests regardless of port. We resolve this problem by ignoring Strict-Transport-Security headers on responses from localhost URLs.
The expectation is that this will improve compatibility with services that run on localhost by avoiding unexpected interactions across unrelated packages.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
HSTS upgrades show in the F12 Network pane as "307 Internal Redirect." In the absence of such an upgrade, the 307 is not shown.
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
None--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8d6c447c-32ba-46af-b04e-828e69b38322n%40chromium.org.
Set request’s current URL’s scheme to "
https
" if all of the following conditions are true:
- request’s current URL’s scheme is "
http
"- request’s current URL’s host is a domain
- Matching request’s current URL’s host per Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted
includeSubDomains
directive or a congruent match (with or without an assertedincludeSubDomains
directive) [HSTS]; or DNS resolution for the request finds a matching HTTPS RR per section 9.5 of [SVCB]. [HSTS] [SVCB]
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b81818f0-73ef-4703-af4c-8f8fcefd93d2n%40chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7c28576e-bee4-430e-8a8d-40c9f23fd6c8n%40chromium.org.
Can we request reviews for Security, Privacy, Enterprise, etc in the chrome status entry?
thx
This seems like a good change, but I notice that it has no flag associated with it. Is there a reason for that (i.e. very hard to implement) or something similar? If not, we should play it safe and have one just in case there are unforeseen consequences.
/Daniel
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1ce4f44c-fde8-4c96-9611-b1a101e4ab3d%40chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/83d14c46-ac56-4820-84b1-09db6e686d90n%40chromium.org.
LGTM3
/Daniel