SM 2.31b not permit "Use Strict Transport Security"

Discussion about Seamonkey builds
Post Reply
Diamanti
Posts: 778
Joined: June 12th, 2008, 9:02 am

SM 2.31b not permit "Use Strict Transport Security"

Post by Diamanti »

in SM 2.31b "Use Strict Transport Security" permission not work for me.
in SM 2.30 if i launche a youtube videro "http://www.youtube.com/..." it change the scheme from http to https.
in SM 2.31b not.
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by therube »

How do you enable/disable HSTS?
How do you test for it?
Does http://www.youtube.com support it (or do they simply have separate http / https methods of access)?
http://www.paypal.com probably does.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Diamanti
Posts: 778
Joined: June 12th, 2008, 9:02 am

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by Diamanti »

Do you have tried in 2.31b?
Also http://www.paypal.com in 2.30 became https in 2.31b remain http.
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by therube »

payplay gave me https in 2.31b.
See if you don't have something else going on, so test in a new, clean Profile.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by rsx11m »

therube wrote:How do you enable/disable HSTS?

Usually a website requiring secure access will set it, thus preventing the browser to access the domain with unsecured http:// and "upgrading" them to https:// connections. Thus, entering or following an http:// address is supposed to upgrade it to https:// without ever trying the http:// connection.

You can set this in the Data Manager > Permissions tab using the "Add" button. Paypal connects as https:// for me (but also requests it) whereas youtube.com doesn't (using 2.31b1, I haven't tried any earlier version).
Diamanti
Posts: 778
Joined: June 12th, 2008, 9:02 am

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by Diamanti »

I tried better.
PayPal work, Youtube not.
But i have setted "Allow"
"Use Strict Transport Security"
and
"Apply Strict Transport Security to subdomains"
in Permission Data Manager or youtube.com
Why scheme not modify to https automatically?
2.30 do, 2.31b not.
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by rsx11m »

Hmm, so bug 775370 - Don't use PermissionManager to save stuff in nsStrictTransportSecurityService checked in for Gecko 34.0, that looks like a suitable candidate for a regression... :-k

Meaning, setting this in the permission manager (by means of the Data Manager) may not have any effect as it's apparently now ignored by the backend using a different mechanism.
Diamanti
Posts: 778
Joined: June 12th, 2008, 9:02 am

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by Diamanti »

which different mechanism?
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by rsx11m »

mounir wrote:security/manager/boot/src/nsStrictTransportSecurityService.cpp is using permission manager to save data but it's actually not related to permissions. We should save that to a global indexeddb for Firefox/Gecko.
:?:
Diamanti
Posts: 778
Joined: June 12th, 2008, 9:02 am

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by Diamanti »

If I understand correctly, these permits are now saved in "SiteSecurityServiceState.txt" but only by FF35.
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by rsx11m »

Actually, that file exists for me in the profile folder and contains an entry for "www.paypal.com:HSTS" but not for http://www.youtube.com; thus, it seems to work as long as the website is setting it (but not when set manually in the Data Manager).

Edit: I've copied the paypal entry and renamed it to youtube, and now the link goes to https:// as desired. So, that should do as a workaround.
Diamanti
Posts: 778
Joined: June 12th, 2008, 9:02 am

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by Diamanti »

Does not always work. F.e.
stackoverflow.com:HSTS 0 16398 1479926458008,1,1
Perhaps the first reboot after work but no longer works and is deleted.
Before working as it should.
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SM 2.31b not permit "Use Strict Transport Security"

Post by rsx11m »

I've filed bug 1104743 to follow up on this backend change.
Post Reply