HSTS checker chases redirects, gives misleading results

ericlaw1979 / moartls

The moarTLS Analyzer Browser Extension flags non-secure references in web pages.

https://textplain.wordpress.com/2016/03/17/seek-and-destroy-non-secure-references-using-the-moartls-analyzer/

MIT License

23 stars 5 forks source link

HSTS checker chases redirects, gives misleading results #7

Closed ericlaw1979 closed 8 years ago

ericlaw1979 commented 8 years ago

moarTLS incorrectly reports that go.microsoft.com is advertising HSTS policy.

`GET http://go.microsoft.com/fwlink/?LinkID=530144 302 Redirect to https://www.microsoft.com/en-us/servicesagreement/

GET https://www.microsoft.com/en-us/servicesagreement/ Strict-Transport-Security: max-age=31536000 200 OK (text/html)`

To fix this, we need to resolve the TODO and use the fetch API instead.

ericlaw1979 commented 8 years ago

Sadly, fetch() doesn't today support timeouts: https://github.com/whatwg/fetch/issues/20

For XHR, we can at least check the final URL before indicating HSTS support. http.onreadystatechange = function() { if (this.readyState === this.DONE) { console.log(this.responseURL); }