Relative timestamps in HSTS cache
Bug #1419973 reported by
Cris Dywan
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Midori Web Browser |
Fix Committed
|
High
|
Unassigned |
Bug Description
The cache written for HSTS is conceptionally wrong. Headers are written to the file, including relative time stamps. This is not practical because 1) there can be time spans of days, weeks or years 2) expired timestamps aren't expunged (bug 1290142).
Changed in midori: | |
milestone: | none → 0.6.0 |
Changed in midori: | |
milestone: | 0.6.0 → 0.5.12 |
status: | Confirmed → Fix Committed |
To post a comment you must log in.
As you say, I think both this and bug 1290142 are closely related. Timestamps should be recorded to a specific time, and replaced when new ones are received. For instance, if I send "HSTS 300" then the time should be set at 300 seconds from now, but if a subsequent (and secure) request in that time period sends "HSTS 0" then the setting should be cleared immediately. This can cause issues for sites nearing the end of a secure transition.
http:// tools.ietf. org/html/ rfc6797# section- 8 specificaly relates to how a user agent should properly handle HSTS headers, including storage.