HSTS parser bug

[bwbroersma]

Example deafsluitdijk.nl

Strict-Transport-Security: : max-age=31536000; IncludeSubDomains

Note the extra :, I checked the RFC, the 2 major browsers and other implementations:

• RFC: syntax in RFC6797 seems pretty clear:

  Strict-Transport-Security = "Strict-Transport-Security" ":"
                                   [ directive ]  *( ";" [ directive ] )
  
       directive                 = directive-name [ "=" directive-value ]
       directive-name            = token
       directive-value           = token | quoted-string
  
     where:
  
       token          = <token, defined in RFC2616, Section 2.2>
       quoted-string  = <quoted-string, defined in RFC2616, Section 2.2>

  (clickable links: RFC2616, Section 2.2, RFC2616, Section 2.2) No room here I would say.

• Browsers:
  • :fox_face: Firefox trashes the log with a :warning: warning for every resource with this wrong HSTS:

    Strict-Transport-Security: The site specified a header that could not be parsed successfully.

  • Chrome: nothing in the log, bug also does not accept this, since chrome://net-internals/#hsts 'Query HSTS/PKP domain' for deafsluitdijk.nl says Not found after visiting the site.

• Some other implementations:	Tool	Result
  SecurityHeaders.com	:x: Also incorrectly passes
  hstspreload.org	:heavy_check_mark: Correctly gives parser error, also :warning: for other stuff*
  HSTS test - SEO Site Checkup	:x: Also incorrectly passes
  HSTS Test - Domsignal	:x: Internal Server Error on any input

  * See:

  • 1016

  • 1019

  • 1020

  • 1021

  • 1023 (although not in this case, since there is no double header here)

[bwbroersma]

The parsing code: https://github.com/internetstandards/Internet.nl/blob/3ddbe6aacec748ecc429fe9327b6a954c8686b0f/checks/tasks/http_headers.py#L523-L569

Issues:

• [ ] Comment about 6 months should be updated to 1 (leap) year.
• [ ] The split("max-age=") is obviously wrong, since it also accepts invalid-max-age=.
• [ ] The int()-function accepts way too much (e.g. optional +- prefix, different base, etc.), make sure to test:
  • [ ] Fail on max-age=+4294967294; includeSubdomains (reason +), currently passes.
  • [ ] Fail on max-age=31_536_000; includeSubdomains (reason _), currently passes.
  • [ ] Succeed on max-age="31536000", currently fails. However. we should check browser implementations, since e.g. the HSTSpreload code explicitly ignores it. Source: Examples RFC6797:

    The max-age directive value can optionally be quoted

  • [ ] Warning on more than one max-age directive. It's unclear from the RFC which to parse (probably the first?), it's a warning in the HSTSpreload code, probably best to check the browser code.

See The max-age Directive - RFC6797:

    max-age-value = delta-seconds

    delta-seconds = <1*DIGIT, defined in [[RFC2616], Section 3.3.2](https://www.rfc-editor.org/rfc/rfc2616#section-3.3.2)>

and RFC2616:

       DIGIT          = <any US-ASCII digit "0".."9">

Possible useful: the HSTS-parsing go-code from the Chromium HSTSpreload project.