Nov 27, 2010

Chrome Behavior Confirmed, FF Checked With HSTS Add-On

Both Google and Mozilla have been very responsive in the discussion on HSTS behavior for non-default ports.

Chrome Behavior Confirmed
Adam Langley from Google confirmed that Chrome doesn't enforce HSTS for non-default ports:

From the write up you appear to be using a non-default HTTP port
(8080). That doesn't trigger rewriting in Chromium:

if (scheme == "http" &&
     (request->url().port().empty() || port == 80) &&
     request->context()->transport_security_state() &&
         &domain_state, request->url().host())) {

I understand that the draft may be updated to cover this case in the
future, in which case the code will also be updated.


Firefox Nightly Behavior Checked With HSTS Add-On
Daniel Veditz asked me to use Sid Stamm's Firefox add-on for HSTS:

I installed it, accessed to see that it showed up in the list which it did. But my site does not show up when I surf to it:

So we're now trying to find out if this is because of any of the following:
  • Non-default port 8443
  • Self-signed SSL certificate added as a permanent security exception in Firefox
  • Domain resolves to on my machine via /etc/hosts

Stay tuned :).

No comments:

Post a Comment