210739 2020-04-20 03:10:00 -0700 [SOUP] Disable HSTS for requests when cookies will be blocked by ITP 2020-06-14 02:08:15 -0700 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=210184 Gtk, InRadar P2 Normal --- 1 cgarcia webkit-unassigned bugs-noreply csaavedra mcatanzaro webkit-bug-importer wilander youennf oldest_to_newest 1643407 0 cgarcia 2020-04-20 03:10:00 -0700 "When the original request is HTTP, the request will have its cookies blocked, and has been upgraded by the HSTS mechanism, downgrade back to HTTP, apply all other rules in WebKit that might again upgrade it such as Upgrade Insecure Requests or potential/future auto-upgrade of mixed content, and send out." 1643408 1 cgarcia 2020-04-20 03:12:59 -0700 In the case of soup, I think a request is upgraded from http to https only by HSTS. Why do we wait for HSTS to upgrade the request to downgrade it again? Why not just ignore/disable HSTS when the request is created? 1644299 2 mcatanzaro 2020-04-22 08:25:19 -0700 That's fine. It doesn't make any difference, since that's just an internal implementation detail. The point is simply that prevalent domains should not have HSTS. 1644303 3 cgarcia 2020-04-22 08:37:50 -0700 Then I'll just disable HSTS for requests when cookies are going to be blocked, since that's a lot easier than upgrade -> downgrade -> request again with HSTS ignored. I wonder why cocoa does it this way, though. 1644304 4 csaavedra 2020-04-22 08:39:54 -0700 I think there was something like that in one of the other ports' implementations of the upgrade mechanism, so we might want to improve that. 1644317 5 mcatanzaro 2020-04-22 08:54:25 -0700 (In reply to Carlos Garcia Campos from comment #3) > Then I'll just disable HSTS for requests when cookies are going to be > blocked, since that's a lot easier than upgrade -> downgrade -> request > again with HSTS ignored. I wonder why cocoa does it this way, though. Yes, that sounds correct. What you're trying to do is implement Mitigation 2 from this blog post: https://webkit.org/blog/8146/protecting-against-hsts-abuse/ """ We modified WebKit so that when an insecure third-party subresource load from a domain for which we block cookies (such as an invisible tracking pixel) had been upgraded to an authenticated connection because of dynamic HSTS, we ignore the HSTS upgrade request and just use the original URL. This causes HSTS super cookies to become a bit string consisting only of zeroes. """ 1644324 6 mcatanzaro 2020-04-22 08:59:05 -0700 (In reply to Michael Catanzaro from comment #2) > The point is simply that prevalent domains should not have HSTS. Well one thing has changed: nowadays ITP blocks *all* third-party cookies. I guess this means HSTS should be disabled for all third-party resources? Or does Safari still allow HSTS upgrades on non-prevalent third-party domains? We might investigate what Safari does. But it probably shouldn't, because that would be subject to the same issues discussed in https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/. (Note that ITP has since tightened "all third-party cookies blocked on websites without prior user interaction" to "all third-party cookies blocked without storage access API request.") 1644618 7 wilander 2020-04-22 18:52:28 -0700 (In reply to Carlos Garcia Campos from comment #1) > In the case of soup, I think a request is upgraded from http to https only > by HSTS. Why do we wait for HSTS to upgrade the request to downgrade it > again? Why not just ignore/disable HSTS when the request is created? Are you saying UIR support is Cocoa-specific? That would surprise me. 1644619 8 wilander 2020-04-22 19:00:58 -0700 (In reply to Michael Catanzaro from comment #6) > (In reply to Michael Catanzaro from comment #2) > > The point is simply that prevalent domains should not have HSTS. > > Well one thing has changed: nowadays ITP blocks *all* third-party cookies. I > guess this means HSTS should be disabled for all third-party resources? > > Or does Safari still allow HSTS upgrades on non-prevalent third-party > domains? We might investigate what Safari does. But it probably shouldn't, > because that would be subject to the same issues discussed in > https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/. (Note > that ITP has since tightened "all third-party cookies blocked on websites > without prior user interaction" to "all third-party cookies blocked without > storage access API request.") Since all third-party cookies are blocked by default and not based on classification, HSTS is also blocked across the board. Two things to keep in mind here: 1. Entries on the HSTS preload list should not be downgraded since they are not stateful and thus cannot be used for cross-site tracking purposes. Only downgrade dynamic HSTS. 2. Make sure you also cover HSTS on redirects. This turned out to be the trickiest part for us because it required a new callback from the HTTP layer saying “This redirect was actually to HTTP but I already upgraded it to HTTPS. Do you want to change that?” This is different from the initial request which WebKit sees *before* it goes to the HTTP layer where an upgrade may happen. I.e. you can be proactive on the initial request but need to be reactive on redirects. 1644690 9 cgarcia 2020-04-22 22:33:53 -0700 (In reply to John Wilander from comment #7) > (In reply to Carlos Garcia Campos from comment #1) > > In the case of soup, I think a request is upgraded from http to https only > > by HSTS. Why do we wait for HSTS to upgrade the request to downgrade it > > again? Why not just ignore/disable HSTS when the request is created? > > Are you saying UIR support is Cocoa-specific? That would surprise me. I don't even know what UIR is :-P 1644705 10 csaavedra 2020-04-23 01:06:19 -0700 The Upgrade-Insecure-Request header, I suppose. 1644758 11 wilander 2020-04-23 07:22:07 -0700 (In reply to Claudio Saavedra from comment #10) > The Upgrade-Insecure-Request header, I suppose. Yes, Upgrade Insecure Requests, as mentioned in the quote in the bug description. 1644764 12 mcatanzaro 2020-04-23 07:35:21 -0700 That is: the UIR header always wins, since, if used, it eliminates the potential for HSTS abuse. We don't want to wind up downgrading those requests to HTTP even if they would otherwise be downgraded by HSTS Mitigation 2. 1661898 13 401716 cgarcia 2020-06-12 02:41:46 -0700 Created attachment 401716 Patch I think this is enough in the case of soup. 1661900 14 401717 cgarcia 2020-06-12 02:57:41 -0700 Created attachment 401717 Patch 1661901 15 401718 cgarcia 2020-06-12 03:00:20 -0700 Created attachment 401718 Patch 1661907 16 401718 csaavedra 2020-06-12 05:11:47 -0700 Comment on attachment 401718 Patch Informal review here. We were using .allowCookies() because we didn't have ITP back at the time. It looks to me like this was the right thing to do from the beginning, so the patch looks godo to me. 1661919 17 401718 mcatanzaro 2020-06-12 06:50:35 -0700 Comment on attachment 401718 Patch I think this is correct. The only trick here is that we want Upgrade Insecure Requests to take precedence, so the request should still be upgraded to HTTPS if that's used even if cookies are blocked. But that should be handled... somewhere else... so it should be fine. 1662467 18 cgarcia 2020-06-14 02:07:23 -0700 Committed r263010: <https://trac.webkit.org/changeset/263010> 1662468 19 webkit-bug-importer 2020-06-14 02:08:15 -0700 <rdar://problem/64338649> 401716 2020-06-12 02:41:46 -0700 2020-06-12 02:57:41 -0700 Patch wk2-hsts-itp.diff text/plain 1421 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9DaGFu Z2VMb2cKaW5kZXggMjYwY2RlNjUzZjA1Li5jY2FjNWUwMDgxNWIgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMg KzEsMTUgQEAKKzIwMjAtMDYtMTIgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2Fs aWEuY29tPgorCisgICAgICAgIFtTT1VQXSBEaXNhYmxlIEhTVFMgZm9yIHJlcXVlc3RzIHdoZW4g Y29va2llcyB3aWxsIGJlIGJsb2NrZWQgYnkgSVRQCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTA3MzkKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBObyBuZXcgdGVzdHMgKE9PUFMhKS4KKworICAgICAgICAq IE5ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291cC5jcHA6CisgICAgICAgIChX ZWJLaXQ6Ok5ldHdvcmtEYXRhVGFza1NvdXA6OnNob3VsZEFsbG93SFNUU1Byb3RvY29sVXBncmFk ZSBjb25zdCk6CisKIDIwMjAtMDYtMTIgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBp Z2FsaWEuY29tPgogCiAgICAgICAgIFtHVEs0XSBNYWtlIFdlYkRyaXZlciB3b3JrCmRpZmYgLS1n aXQgYS9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291 cC5jcHAgYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNr U291cC5jcHAKaW5kZXggZWY3NzBkMjhiNjY0Li41NGZjNGMyMDY1NGYgMTAwNjQ0Ci0tLSBhL1Nv dXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3Mvc291cC9OZXR3b3JrRGF0YVRhc2tTb3VwLmNwcAor KysgYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291 cC5jcHAKQEAgLTExMzMsNyArMTEzMyw4IEBAIGJvb2wgTmV0d29ya0RhdGFUYXNrU291cDo6c2hv dWxkQWxsb3dIU1RTUHJvdG9jb2xVcGdyYWRlKCkgY29uc3QKICAgICAvLyBGb2xsb3cgQXBwbGUn cyBIU1RTIGFidXNlIG1pdGlnYXRpb24gMjoKICAgICAvLyAiSWdub3JlIEhTVFMgU3RhdGUgZm9y IFN1YnJlc291cmNlIFJlcXVlc3RzIHRvIEJsb2NrZWQgRG9tYWlucyIKICAgICByZXR1cm4gaXNU b3BMZXZlbE5hdmlnYXRpb24oKQotICAgICAgICB8fCBtX2N1cnJlbnRSZXF1ZXN0LmFsbG93Q29v a2llcygpOworICAgICAgICB8fCBtX2N1cnJlbnRSZXF1ZXN0LmFsbG93Q29va2llcygpCisgICAg ICAgIHx8IG1faXNCbG9ja2luZ0Nvb2tpZXM7CiB9CiAKIHZvaWQgTmV0d29ya0RhdGFUYXNrU291 cDo6cHJvdG9jb2xVcGdyYWRlZFZpYUhTVFMoU291cE1lc3NhZ2UqIHNvdXBNZXNzYWdlKQo= 401717 2020-06-12 02:57:41 -0700 2020-06-12 03:00:20 -0700 Patch wk2-hsts-itp.diff text/plain 1378 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9DaGFu Z2VMb2cKaW5kZXggMjYwY2RlNjUzZjA1Li5jY2FjNWUwMDgxNWIgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMg KzEsMTUgQEAKKzIwMjAtMDYtMTIgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2Fs aWEuY29tPgorCisgICAgICAgIFtTT1VQXSBEaXNhYmxlIEhTVFMgZm9yIHJlcXVlc3RzIHdoZW4g Y29va2llcyB3aWxsIGJlIGJsb2NrZWQgYnkgSVRQCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTA3MzkKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBObyBuZXcgdGVzdHMgKE9PUFMhKS4KKworICAgICAgICAq IE5ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291cC5jcHA6CisgICAgICAgIChX ZWJLaXQ6Ok5ldHdvcmtEYXRhVGFza1NvdXA6OnNob3VsZEFsbG93SFNUU1Byb3RvY29sVXBncmFk ZSBjb25zdCk6CisKIDIwMjAtMDYtMTIgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBp Z2FsaWEuY29tPgogCiAgICAgICAgIFtHVEs0XSBNYWtlIFdlYkRyaXZlciB3b3JrCmRpZmYgLS1n aXQgYS9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291 cC5jcHAgYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNr U291cC5jcHAKaW5kZXggZWY3NzBkMjhiNjY0Li4xOGEyMjljMWE0NDcgMTAwNjQ0Ci0tLSBhL1Nv dXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3Mvc291cC9OZXR3b3JrRGF0YVRhc2tTb3VwLmNwcAor KysgYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291 cC5jcHAKQEAgLTExMzMsNyArMTEzMyw3IEBAIGJvb2wgTmV0d29ya0RhdGFUYXNrU291cDo6c2hv dWxkQWxsb3dIU1RTUHJvdG9jb2xVcGdyYWRlKCkgY29uc3QKICAgICAvLyBGb2xsb3cgQXBwbGUn cyBIU1RTIGFidXNlIG1pdGlnYXRpb24gMjoKICAgICAvLyAiSWdub3JlIEhTVFMgU3RhdGUgZm9y IFN1YnJlc291cmNlIFJlcXVlc3RzIHRvIEJsb2NrZWQgRG9tYWlucyIKICAgICByZXR1cm4gaXNU b3BMZXZlbE5hdmlnYXRpb24oKQotICAgICAgICB8fCBtX2N1cnJlbnRSZXF1ZXN0LmFsbG93Q29v a2llcygpOworICAgICAgICAmJiAhbV9pc0Jsb2NraW5nQ29va2llczsKIH0KIAogdm9pZCBOZXR3 b3JrRGF0YVRhc2tTb3VwOjpwcm90b2NvbFVwZ3JhZGVkVmlhSFNUUyhTb3VwTWVzc2FnZSogc291 cE1lc3NhZ2UpCg== 401718 2020-06-12 03:00:20 -0700 2020-06-12 06:50:35 -0700 Patch wk2-hsts-itp.diff text/plain 1345 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9DaGFu Z2VMb2cKaW5kZXggMjYwY2RlNjUzZjA1Li4wNGI0ODhiNTBkYzkgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMg KzEsMTMgQEAKKzIwMjAtMDYtMTIgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2Fs aWEuY29tPgorCisgICAgICAgIFtTT1VQXSBEaXNhYmxlIEhTVFMgZm9yIHJlcXVlc3RzIHdoZW4g Y29va2llcyB3aWxsIGJlIGJsb2NrZWQgYnkgSVRQCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTA3MzkKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICAqIE5ldHdvcmtQcm9jZXNzL3NvdXAvTmV0d29ya0RhdGFU YXNrU291cC5jcHA6CisgICAgICAgIChXZWJLaXQ6Ok5ldHdvcmtEYXRhVGFza1NvdXA6OnNob3Vs ZEFsbG93SFNUU1Byb3RvY29sVXBncmFkZSBjb25zdCk6CisKIDIwMjAtMDYtMTIgIENhcmxvcyBH YXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29tPgogCiAgICAgICAgIFtHVEs0XSBNYWtl IFdlYkRyaXZlciB3b3JrCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNz L3NvdXAvTmV0d29ya0RhdGFUYXNrU291cC5jcHAgYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9j ZXNzL3NvdXAvTmV0d29ya0RhdGFUYXNrU291cC5jcHAKaW5kZXggZWY3NzBkMjhiNjY0Li4xOGEy MjljMWE0NDcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3Mvc291cC9O ZXR3b3JrRGF0YVRhc2tTb3VwLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNz L3NvdXAvTmV0d29ya0RhdGFUYXNrU291cC5jcHAKQEAgLTExMzMsNyArMTEzMyw3IEBAIGJvb2wg TmV0d29ya0RhdGFUYXNrU291cDo6c2hvdWxkQWxsb3dIU1RTUHJvdG9jb2xVcGdyYWRlKCkgY29u c3QKICAgICAvLyBGb2xsb3cgQXBwbGUncyBIU1RTIGFidXNlIG1pdGlnYXRpb24gMjoKICAgICAv LyAiSWdub3JlIEhTVFMgU3RhdGUgZm9yIFN1YnJlc291cmNlIFJlcXVlc3RzIHRvIEJsb2NrZWQg RG9tYWlucyIKICAgICByZXR1cm4gaXNUb3BMZXZlbE5hdmlnYXRpb24oKQotICAgICAgICB8fCBt X2N1cnJlbnRSZXF1ZXN0LmFsbG93Q29va2llcygpOworICAgICAgICAmJiAhbV9pc0Jsb2NraW5n Q29va2llczsKIH0KIAogdm9pZCBOZXR3b3JrRGF0YVRhc2tTb3VwOjpwcm90b2NvbFVwZ3JhZGVk VmlhSFNUUyhTb3VwTWVzc2FnZSogc291cE1lc3NhZ2UpCg==