hstspreload
hstspreload copied to clipboard
Don't require internal redirects before redirecting to HTTPS
The HSTS preload checker currently requires an internal redirect before an external redirect:
In this case, the domain in question (greengov.gov
) always redirects immediately to https://www.whitehouse.gov/greengov/
, whether it's accessed over HTTP or HTTPS, or at www
or the base of the domain.
There is an obvious performance hit, and there are no security benefits I can think of to requiring the domain to internally redirect before externally redirecting, other than causing the client to cache the HSTS policy on the way through the double-redirect. However, since this scan is for the purpose of preloading the domain, this isn't really relevant -- once the domain is preloaded, there will be no security benefit to forcing clients to go through that redirect.
I think it should be sufficient that a domain's HTTP endpoints redirect immediately and consistently to HTTPS throughout the redirect chain this tool measures, whether or not these redirect locations are internal to the requested hostname or not. This would allow "redirect domains" like greengov.gov
to maintain their performance properties while achieving the same level of functional security as other domains.
I'm happy to remove this requirement as soon as we have a solution in place for https://crbug.com/626180
@lgarron Got it -- I commented on the bug: https://bugs.chromium.org/p/chromium/issues/detail?id=626180#c7
Not sure who's triaging these issues, though cc @ericlaw1979 in case he's interested. This remains a requirement that is causing some domains to not maintain preload eligibility as external redirects are setup.
For example, dotgov.gov
is now no longer eligible, because http://dotgov.gov
now redirects to https://home.dotgov.gov
directly. While it's certainly not impossible to configure an intermediate redirect, see my comments above for the performance/complexity hit for a security gain that shouldn't be that significant once preloading is completed.
+@nharper. I'm not opposed to removing the current same-host redirection requirement.
I'm still opposed to it until we fix https://crbug.com/626180 , especially given that Safari is now moving farther away from supporting cross-domain HSTS without direct navigation. :-/