<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - upgrade-insecure-requests does not upgrade HTTP URI's after being redirected (maybe)"
href="https://bugs.webkit.org/show_bug.cgi?id=158389">158389</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>upgrade-insecure-requests does not upgrade HTTP URI's after being redirected (maybe)
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>tollmanz@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>bfulgham@webkit.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=280540" name="attach_280540" title="Redirect and upgrade flow">attachment 280540</a> <a href="attachment.cgi?id=280540&action=edit" title="Redirect and upgrade flow">[details]</a></span>
Redirect and upgrade flow
Apologies if this is not truly a bug yet, but wanted to document this as work on upgrade-insecure-requests (UIR) progresses. It is entirely possible that after [158388](<a class="bz_bug_link
bz_status_NEW "
title="NEW - upgrade-insecure-requests is applied after other CSP directives potentially blocking resource before upgrade is applied"
href="show_bug.cgi?id=158388">https://bugs.webkit.org/show_bug.cgi?id=158388</a>) is resolved, this will be a moot point.
It is possible that when URI's are upgraded via UIR and redirected to an HTTP URI, the resource is not upgraded (see attachment for clarity). We need to ensure that UIR handles this case.
At present, I cannot validate whether this bug exists or not due to #158388.
To reproduce:
1. Generate a page with the following CSP header: `default-src https:; upgrade-insecure-requests`
2. Create a HTML page, protected by the CSP in step1, that contains an `img` tag with a `src` attribute pointing to an HTTP asset (request A), that can successfully be upgraded to an HTTPS (request B) asset via `upgrade-insecure-requests`. This HTTPS asset should then redirect, via the server, to an HTTP asset (request C). Note that this HTTP asset should work as an HTTP or HTTPS request, but the redirect should specifically be to the HTTP version of the asset.
3. Load the page.
Expected behavior:
It is expected that the request C should be upgraded to an HTTPS request via `upgrade-insecure-requests`.
What happened:
Request C is not upgraded via `upgrade-insecure-requests` and subsequently blocked by the `default-src https:` CSP directive:
[Error] Unrecognized Content-Security-Policy directive 'upgrade-insecure-requests'.
Refused to load the image '<a href="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a>' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
In Firefox, on Nightly and Stable, the upgrade works. I get the following Console output:
Content Security Policy: Upgrading insecure request '<a href="http://domain.com/asset.png">http://domain.com/asset.png</a>' to use 'https'
Content Security Policy: Upgrading insecure request '<a href="http://domain.com/redirected.png">http://domain.com/redirected.png</a>' to use 'https'
I've also filed this bug in Chrome as the bug exists there as well and Mike West indicated that it was a bug.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>