<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - upgrade-insecure-requests does not upgrade HTTP URI's after being redirected"
href="https://bugs.webkit.org/show_bug.cgi?id=159118">159118</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>upgrade-insecure-requests does not upgrade HTTP URI's after being redirected
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>Safari Technology Preview
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>tollmanz@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>bfulgham@webkit.org, tollmanz@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=282080" name="attach_282080" title="Flowchart to describe expected and actual upgrades">attachment 282080</a> <a href="attachment.cgi?id=282080&action=edit" title="Flowchart to describe expected and actual upgrades">[details]</a></span>
Flowchart to describe expected and actual upgrades
Steps to reproduce the problem:
1. Generate a page with the following CSP header: `default-src https:; upgrade-insecure-requests`
2. Create a HTML page, protected by the CSP in step 1, that contains an `img` tag with a `src` attribute pointing to an HTTP asset (request A), that can successfully be upgraded to an HTTPS (request B) asset via `upgrade-insecure-requests`. This HTTPS asset should then redirect, via the server, to an HTTP asset (request C). Note that this HTTP asset should work as an HTTP or HTTPS request, but the redirect should specifically be to the HTTP version of the asset.
3. Remove, and possibly flush, any HSTS headers set for the test domain.
You can view a test case here: <a href="https://test-run-dot-csp-unit.appspot.com/tests/bdfab057-5f90-466f-afdd-0d67ca9c5458">https://test-run-dot-csp-unit.appspot.com/tests/bdfab057-5f90-466f-afdd-0d67ca9c5458</a>.
In the test case, <a href="http://goo.gl/fDn2aT">http://goo.gl/fDn2aT</a> is upgraded to <a href="https://goo.gl/fDn2aT">https://goo.gl/fDn2aT</a>, which redirects to <a href="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a>, but *is not* upgraded to <a href="https://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">https://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a> as I would expect.
What is the expected behavior?
It is expected that request C should be upgraded to an HTTPS request via `upgrade-insecure-requests`.
What went wrong?
Request C is not upgraded via `upgrade-insecure-requests` and subsequently blocked by the `default-src https:` CSP directive:
Refused to load <a href="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a> because it appears in neither the img-src directive nor the default-src directive of the Content Security Policy.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>