HSTS not fully applied
-
After enabling HTTP Strict Transport Security I find that a few URLs are not redirected, when I expected all requests (the address URL and all embedded/linked images/scripts/styles/frames) to be redirected to their HTTPS version.
For example, after enabling STS for
simplemachines.org
andsimplemachinesweb.com
and their subdomains, there's still no green badge on their login page because while Vivaldi redirects most of the page's network requests as expected (e.g.http://media.simplemachinesweb.com/site/images/github2.png
gets a "307 Internal Redirect" tohttps://media.simplemachinesweb.com/site/images/github2.png
which loads fine), other requests are simply blocked as mixed-content (e.g.http://media.simplemachinesweb.com/smf/default/css/webkit.css
, which does load OK directly from the address bar, again with a 307 to the HTTPS version, Non-Authoritative-Reason:HSTS, Upgrade-Insecure-Requests:1).Is this an issue in Chromium, or somehow with the website?
-
@Gwen-Dragon said in HSTS not fully applied:
That is a problem with the website. Other browsers dont get SSL for subdomains, too.
I’m afraid I don’t get your point.
Are you saying that the problem is with their webserver misbehaving on GET requests, or having misconfigured (sub)domains?
(I agree that they should reference their resources with//media.simplemachinesweb.com/
instead of explicitlyhttp://…
)I don’t know how to control HSTS in other browsers, but when enabling it in Chrome I see the same thing when loading the login page:
http://media.simplemachinesweb.com/smf/default/css/webkit.css
doesn’t redirect automatically tohttps://media.simplemachinesweb.com/smf/default/css/webkit.css
-
Thanks for replicating the issue (let’s ignore simplemachines.com for now).
I’ve also tried manually forcing HTTPS with the “HTTPS Everywhere” extension, and still couldn’t get any extra HTTP resource to redirect to HTTPS.
I suspect there’s some STS bug in Chromium.
-
-