SM 2.31b not permit "Use Strict Transport Security"
-
- Posts: 778
- Joined: June 12th, 2008, 9:02 am
SM 2.31b not permit "Use Strict Transport Security"
in SM 2.31b "Use Strict Transport Security" permission not work for me.
in SM 2.30 if i launche a youtube videro "http://www.youtube.com/..." it change the scheme from http to https.
in SM 2.31b not.
in SM 2.30 if i launche a youtube videro "http://www.youtube.com/..." it change the scheme from http to https.
in SM 2.31b not.
- therube
- Posts: 21703
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: SM 2.31b not permit "Use Strict Transport Security"
How do you enable/disable HSTS?
How do you test for it?
Does http://www.youtube.com support it (or do they simply have separate http / https methods of access)?
http://www.paypal.com probably does.
How do you test for it?
Does http://www.youtube.com support it (or do they simply have separate http / https methods of access)?
http://www.paypal.com probably does.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 778
- Joined: June 12th, 2008, 9:02 am
Re: SM 2.31b not permit "Use Strict Transport Security"
Do you have tried in 2.31b?
Also http://www.paypal.com in 2.30 became https in 2.31b remain http.
Also http://www.paypal.com in 2.30 became https in 2.31b remain http.
- therube
- Posts: 21703
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: SM 2.31b not permit "Use Strict Transport Security"
payplay gave me https in 2.31b.
See if you don't have something else going on, so test in a new, clean Profile.
See if you don't have something else going on, so test in a new, clean Profile.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: SM 2.31b not permit "Use Strict Transport Security"
therube wrote:How do you enable/disable HSTS?
Usually a website requiring secure access will set it, thus preventing the browser to access the domain with unsecured http:// and "upgrading" them to https:// connections. Thus, entering or following an http:// address is supposed to upgrade it to https:// without ever trying the http:// connection.
You can set this in the Data Manager > Permissions tab using the "Add" button. Paypal connects as https:// for me (but also requests it) whereas youtube.com doesn't (using 2.31b1, I haven't tried any earlier version).
-
- Posts: 778
- Joined: June 12th, 2008, 9:02 am
Re: SM 2.31b not permit "Use Strict Transport Security"
I tried better.
PayPal work, Youtube not.
But i have setted "Allow"
"Use Strict Transport Security"
and
"Apply Strict Transport Security to subdomains"
in Permission Data Manager or youtube.com
Why scheme not modify to https automatically?
2.30 do, 2.31b not.
PayPal work, Youtube not.
But i have setted "Allow"
"Use Strict Transport Security"
and
"Apply Strict Transport Security to subdomains"
in Permission Data Manager or youtube.com
Why scheme not modify to https automatically?
2.30 do, 2.31b not.
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: SM 2.31b not permit "Use Strict Transport Security"
Hmm, so bug 775370 - Don't use PermissionManager to save stuff in nsStrictTransportSecurityService checked in for Gecko 34.0, that looks like a suitable candidate for a regression...
Meaning, setting this in the permission manager (by means of the Data Manager) may not have any effect as it's apparently now ignored by the backend using a different mechanism.
Meaning, setting this in the permission manager (by means of the Data Manager) may not have any effect as it's apparently now ignored by the backend using a different mechanism.
-
- Posts: 778
- Joined: June 12th, 2008, 9:02 am
Re: SM 2.31b not permit "Use Strict Transport Security"
which different mechanism?
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: SM 2.31b not permit "Use Strict Transport Security"
mounir wrote:security/manager/boot/src/nsStrictTransportSecurityService.cpp is using permission manager to save data but it's actually not related to permissions. We should save that to a global indexeddb for Firefox/Gecko.
-
- Posts: 778
- Joined: June 12th, 2008, 9:02 am
Re: SM 2.31b not permit "Use Strict Transport Security"
If I understand correctly, these permits are now saved in "SiteSecurityServiceState.txt" but only by FF35.
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: SM 2.31b not permit "Use Strict Transport Security"
Actually, that file exists for me in the profile folder and contains an entry for "www.paypal.com:HSTS" but not for http://www.youtube.com; thus, it seems to work as long as the website is setting it (but not when set manually in the Data Manager).
Edit: I've copied the paypal entry and renamed it to youtube, and now the link goes to https:// as desired. So, that should do as a workaround.
Edit: I've copied the paypal entry and renamed it to youtube, and now the link goes to https:// as desired. So, that should do as a workaround.
-
- Posts: 778
- Joined: June 12th, 2008, 9:02 am
Re: SM 2.31b not permit "Use Strict Transport Security"
Does not always work. F.e.
stackoverflow.com:HSTS 0 16398 1479926458008,1,1
Perhaps the first reboot after work but no longer works and is deleted.
Before working as it should.
stackoverflow.com:HSTS 0 16398 1479926458008,1,1
Perhaps the first reboot after work but no longer works and is deleted.
Before working as it should.
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: SM 2.31b not permit "Use Strict Transport Security"
I've filed bug 1104743 to follow up on this backend change.