Strict Transport Security test is broken

shivanikhosa / browserscope

Automatically exported from code.google.com/p/browserscope

Apache License 2.0

0 stars 0 forks source link

Strict Transport Security test is broken #316

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

What steps will reproduce the problem?
1. Run security test using Google Chrome

What is the expected output? What do you see instead?
Chrome should pass the STS test. I see that Chrome failed the STS test.

Original issue reported on code.google.com by linshunghuang on 12 Nov 2011 at 5:08

GoogleCodeExporter commented 8 years ago

In the STS test, the initial request over HTTPS 
(https://ua-profiler.appspot.com/security/test/set-sts ) should be setting the 
"Strict-Transport-Security: max-age=5" header while redirecting the browser to 
the test URL on HTTP (http://ua-profiler.appspot.com/security/test/test-sts). 
If the browser didn't upgrade the test URL to HTTPS, the test fails.

The current problem is that Google App Engine (appspot.com) is stripping the 
"Strict-Transport-Security" response header, so the test always fails.

Original comment by linshunghuang on 21 Nov 2011 at 6:06

GoogleCodeExporter commented 8 years ago

We use non-appspot domains for a lot of the other security tests, for similar 
reasons. Maybe we can do the same for this one.

Original comment by collin.j...@gmail.com on 21 Nov 2011 at 6:40

GoogleCodeExporter commented 8 years ago

Sure, I think we'll need an HTTPS server for this one.

Original comment by linshunghuang on 21 Nov 2011 at 7:49

GoogleCodeExporter commented 8 years ago

We can probably fix this by putting the following two PHP files on the external 
domain (and then change the set-sts link on the main test page).

set-sts.php (should redirect to test-sts.php on same server):

<?php
header('Strict-Transport-Security: max-age=5');
header('Location:  http://....../test-sts.php');
?>

test-sts.php (redirecting to script-readable result page on browserscope):

<?php 
if ($_SERVER['HTTPS']) {
  header('Location:  http://www.browserscope.org/security/static/sts-pass.html');
} else {
  header('Location:  http://www.browserscope.org/security/static/sts-fail.html');
} 
?>

Original comment by linshunghuang on 21 Nov 2011 at 8:37

GoogleCodeExporter commented 8 years ago

I think we fixed this, it just needs to be pushed right?

Original comment by jack...@chromium.org on 28 Dec 2011 at 11:04

GoogleCodeExporter commented 8 years ago

Yes, the patch is in the trunk.

Original comment by linshunghuang on 28 Dec 2011 at 3:43

GoogleCodeExporter commented 8 years ago

Original comment by linshunghuang on 29 Dec 2011 at 11:24

Changed state: Done