[Webkit-unassigned] [Bug 210739] [SOUP] Downgrade requests upgraded by HSTS when cookies will be blocked by ITP

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 22 08:54:25 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=210739

--- Comment #5 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Carlos Garcia Campos from comment #3)
> Then I'll just disable HSTS for requests when cookies are going to be
> blocked, since that's a lot easier than upgrade -> downgrade -> request
> again with HSTS ignored. I wonder why cocoa does it this way, though.

Yes, that sounds correct. What you're trying to do is implement Mitigation 2 from this blog post: https://webkit.org/blog/8146/protecting-against-hsts-abuse/

"""
We modified WebKit so that when an insecure third-party subresource load from a domain for which we block cookies (such as an invisible tracking pixel) had been upgraded to an authenticated connection because of dynamic HSTS, we ignore the HSTS upgrade request and just use the original URL. This causes HSTS super cookies to become a bit string consisting only of zeroes.
"""

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200422/011664a3/attachment-0001.htm>


More information about the webkit-unassigned mailing list