MozillaZine

SM 2.31b not permit "Use Strict Transport Security"

Discussion about Seamonkey builds
Diamanti
 
Posts: 701
Joined: June 12th, 2008, 9:02 am

Post Posted November 22nd, 2014, 7:17 pm

in SM 2.31b "Use Strict Transport Security" permission not work for me.
in SM 2.30 if i launche a youtube videro "http://www.youtube.com/..." it change the scheme from http to https.
in SM 2.31b not.

therube

User avatar
 
Posts: 18321
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted November 23rd, 2014, 10:16 am

How do you enable/disable HSTS?
How do you test for it?
Does http://www.youtube.com support it (or do they simply have separate http / https methods of access)?
http://www.paypal.com probably does.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Diamanti
 
Posts: 701
Joined: June 12th, 2008, 9:02 am

Post Posted November 23rd, 2014, 10:27 am

Do you have tried in 2.31b?
Also http://www.paypal.com in 2.30 became https in 2.31b remain http.

therube

User avatar
 
Posts: 18321
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted November 23rd, 2014, 10:44 am

payplay gave me https in 2.31b.
See if you don't have something else going on, so test in a new, clean Profile.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

rsx11m
Moderator
 
Posts: 14423
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted November 23rd, 2014, 10:47 am

therube wrote:How do you enable/disable HSTS?

Usually a website requiring secure access will set it, thus preventing the browser to access the domain with unsecured http:// and "upgrading" them to https:// connections. Thus, entering or following an http:// address is supposed to upgrade it to https:// without ever trying the http:// connection.

You can set this in the Data Manager > Permissions tab using the "Add" button. Paypal connects as https:// for me (but also requests it) whereas youtube.com doesn't (using 2.31b1, I haven't tried any earlier version).

Diamanti
 
Posts: 701
Joined: June 12th, 2008, 9:02 am

Post Posted November 23rd, 2014, 3:27 pm

I tried better.
PayPal work, Youtube not.
But i have setted "Allow"
"Use Strict Transport Security"
and
"Apply Strict Transport Security to subdomains"
in Permission Data Manager or youtube.com
Why scheme not modify to https automatically?
2.30 do, 2.31b not.

rsx11m
Moderator
 
Posts: 14423
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted November 23rd, 2014, 6:37 pm

Hmm, so bug 775370 - Don't use PermissionManager to save stuff in nsStrictTransportSecurityService checked in for Gecko 34.0, that looks like a suitable candidate for a regression... :-k

Meaning, setting this in the permission manager (by means of the Data Manager) may not have any effect as it's apparently now ignored by the backend using a different mechanism.

Diamanti
 
Posts: 701
Joined: June 12th, 2008, 9:02 am

Post Posted November 23rd, 2014, 6:56 pm

which different mechanism?

rsx11m
Moderator
 
Posts: 14423
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted November 23rd, 2014, 6:59 pm

mounir wrote:security/manager/boot/src/nsStrictTransportSecurityService.cpp is using permission manager to save data but it's actually not related to permissions. We should save that to a global indexeddb for Firefox/Gecko.
:?:

Diamanti
 
Posts: 701
Joined: June 12th, 2008, 9:02 am

Post Posted November 23rd, 2014, 7:20 pm

If I understand correctly, these permits are now saved in "SiteSecurityServiceState.txt" but only by FF35.

rsx11m
Moderator
 
Posts: 14423
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted November 24th, 2014, 8:38 am

Actually, that file exists for me in the profile folder and contains an entry for "www.paypal.com:HSTS" but not for http://www.youtube.com; thus, it seems to work as long as the website is setting it (but not when set manually in the Data Manager).

Edit: I've copied the paypal entry and renamed it to youtube, and now the link goes to https:// as desired. So, that should do as a workaround.

Diamanti
 
Posts: 701
Joined: June 12th, 2008, 9:02 am

Post Posted November 24th, 2014, 2:12 pm

Does not always work. F.e.
stackoverflow.com:HSTS 0 16398 1479926458008,1,1
Perhaps the first reboot after work but no longer works and is deleted.
Before working as it should.

rsx11m
Moderator
 
Posts: 14423
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted November 25th, 2014, 8:14 am

I've filed bug 1104743 to follow up on this backend change.

Return to SeaMonkey Builds


Who is online

Users browsing this forum: No registered users and 1 guest