what about stripping the port from url in case of HSTS redirection?
168 views
Skip to first unread message
Nicolas Guerinet
May 20, 2025, 1:13:51 PM5/20/25
to Chromium-discuss
Right now,
when querying a domain that is part of the HSTS preload list, i think it would be good to strip the port to ensure it reaches the HTTPS port 443
Current chromium behavior:
1. user types let's say http:// squoosh.app:8080
2. Internal 307 redirect from chromium to https:// squoosh.app:8080
Suggestion:
1. user types let's say http:// squoosh.app:8080
2. chromium generates an Internal 307 redirect to https:// squoosh.app
Rationnale:
"in-house" Hacker could set up a web server listening on any unusual port like 8080, get a SSL certificate from let's encrypt and return a malicious website. The domain owner would see nothing because the website would continue to respond on port 443.
It could for instance happen behind load balancer, with two different web servers. One official web server and a malicious one.
What do you think?
when querying a domain that is part of the HSTS preload list, i think it would be good to strip the port to ensure it reaches the HTTPS port 443
Current chromium behavior:
1. user types let's say http:// squoosh.app:8080
2. Internal 307 redirect from chromium to https:// squoosh.app:8080
Suggestion:
1. user types let's say http:// squoosh.app:8080
2. chromium generates an Internal 307 redirect to https:// squoosh.app
Rationnale:
"in-house" Hacker could set up a web server listening on any unusual port like 8080, get a SSL certificate from let's encrypt and return a malicious website. The domain owner would see nothing because the website would continue to respond on port 443.
It could for instance happen behind load balancer, with two different web servers. One official web server and a malicious one.
What do you think?
Reply all
Reply to author
Forward
0 new messages