[Webkit-unassigned] [Bug 282054] New: HSTS should ignore strict-transport-security response headers

Thu Oct 24 11:37:38 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=282054

            Bug ID: 282054
           Summary: HSTS should ignore strict-transport-security response
                    headers
           Product: WebKit
           Version: Safari 18
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ericlaw at microsoft.com

https://issues.chromium.org/issues/41251622

Strict-Transport-Security response headers can cause problems for localhost web servers because STS applies host-wide, across all ports. This causes compatibility problems for web developers testing locally as well as end-users who use software packages that commonly spin up localhost webservers for ephemeral reasons (e.g. communication of an auth token from a web login to a local software package). If one local listener sets Strict-Transport-Security on a localhost response, it will be applied to all subsequent localhost requests regardless of port. We resolve this problem by ignoring Strict-Transport-Security headers on responses from localhost URLs.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241024/13c6fd75/attachment.htm>