Skip to content

HSTS

Claudio Saavedra requested to merge hsts into master

I'm making this a merge request so that we can discuss a few things that need ironing out before I feel that it's ready for merging. See https://bugzilla.gnome.org/show_bug.cgi?id=767160 for what has been discussed this far if you need extra background.

  1. soup_hsts_enforcer_set_session_policy(). This is documented to be "permanent to the session", and after talking with @mcatanzaro, it's a bit confusing as it is. The point of these policies is that they live for as long as the session exists and don't expire, in contrast to the policies that come from servers and have a max-age directive which will cause them to expire, eventually. We probably want a better name for this method and/or clearer documentation.

  2. The ::changed signal. This is currently only emitted for non-permanent policies, as defined above. This was so in the code I inherited from @aplazas, so I'm not 100% sure of the logic of this, but I suspect it's because the DB enforcer is only interested in those. It might be cleaner to emit the signal for all policy changes and let subclasses decide which ones they care about.

  3. We're supposed to ignore the HSTS headers if the connection is not hazardous (see the TODO). Not sure how to deal with this and whether it's possible at all from a SoupSessionFeature.

  4. The TODO about internationalized domain names.

  5. Duplicated directives. The specification says that if there are duplicated directives the header should be ignored. We are not honoring the spec here, because soup_header_parse_semi_param_list() is not robust against duplicate directives. We would have to duplicate the parsing code if we wanted to honor the spec here. There's a test for this, but it's currently commented out until this is fixed somehow.

  6. How we rewrite the URI to HTTPS. We do it before sending the message, in both :request_queued and ::restarted. This works well, but the problem is that clients have no idea that the URI has been rewritten. Without changes in Epiphany, for example, the UI still shows the HTTP uri even if the webpage is loaded from a HTTPS address. I think this will require clients to listen to the uri changes and react accordingly. If @danw could comment on this (or anything else, of course), it would be great.

I think these are all the important points that still need a bit of discussion. Hopefully we can merge this soon.

Edited by Claudio Saavedra

Merge request reports