Midori Web Browser

Relative timestamps in HSTS cache

Bug #1419973 reported by Cris Dywan on 2015-02-09

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Midori Web Browser	Fix Committed	High	Unassigned	Midori Web Browser 0.5.12 "No kidding"

Bug Description

The cache written for HSTS is conceptionally wrong. Headers are written to the file, including relative time stamps. This is not practical because 1) there can be time spans of days, weeks or years 2) expired timestamps aren't expunged (bug 1290142).

Tags:

Cris Dywan (kalikiana) on 2015-02-21

Changed in midori:
milestone:	none → 0.6.0

Revision history for this message

Lewis Goddard (lewisgoddard) wrote on 2015-06-07:

As you say, I think both this and bug 1290142 are closely related. Timestamps should be recorded to a specific time, and replaced when new ones are received. For instance, if I send "HSTS 300" then the time should be set at 300 seconds from now, but if a subsequent (and secure) request in that time period sends "HSTS 0" then the setting should be cleared immediately. This can cause issues for sites nearing the end of a secure transition.

http://tools.ietf.org/html/rfc6797#section-8 specificaly relates to how a user agent should properly handle HSTS headers, including storage.

Revision history for this message

The Lemon Man (lemonboy) wrote on 2015-10-03:

You can find some preliminary work here [1].

[1] https://code.launchpad.net/~lemonboy/midori/midori-hsts

Paweł Forysiuk (tuxator) on 2015-12-20

Changed in midori:
milestone:	0.6.0 → 0.5.12
status:	Confirmed → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.