Don't require internal redirects before redirecting to HTTPS #87
Comments
|
I'm happy to remove this requirement as soon as we have a solution in place for https://crbug.com/626180 |
|
@lgarron Got it -- I commented on the bug: https://bugs.chromium.org/p/chromium/issues/detail?id=626180#c7 |
|
Not sure who's triaging these issues, though cc @ericlaw1979 in case he's interested. This remains a requirement that is causing some domains to not maintain preload eligibility as external redirects are setup. For example, |
|
+@nharper. I'm not opposed to removing the current same-host redirection requirement. |
|
I'm still opposed to it until we fix https://crbug.com/626180 , especially given that Safari is now moving farther away from supporting cross-domain HSTS without direct navigation. :-/ |
The HSTS preload checker currently requires an internal redirect before an external redirect:
In this case, the domain in question (
greengov.gov) always redirects immediately tohttps://www.whitehouse.gov/greengov/, whether it's accessed over HTTP or HTTPS, or atwwwor the base of the domain.There is an obvious performance hit, and there are no security benefits I can think of to requiring the domain to internally redirect before externally redirecting, other than causing the client to cache the HSTS policy on the way through the double-redirect. However, since this scan is for the purpose of preloading the domain, this isn't really relevant -- once the domain is preloaded, there will be no security benefit to forcing clients to go through that redirect.
I think it should be sufficient that a domain's HTTP endpoints redirect immediately and consistently to HTTPS throughout the redirect chain this tool measures, whether or not these redirect locations are internal to the requested hostname or not. This would allow "redirect domains" like
greengov.govto maintain their performance properties while achieving the same level of functional security as other domains.The text was updated successfully, but these errors were encountered: