Opened 3 years ago
#17214 new bug
Implement HSTS and HSTS preload
| Reported by: | pulkomandy | Owned by: | nobody |
|---|---|---|---|
| Priority: | normal | Milestone: | Unscheduled |
| Component: | Kits/Network Kit | Version: | R1/beta3 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
HSTS allows a website to request to be accessed only over HTTPS. The idea is that the website sends a redirect when accessing over HTTP, but the browser stores that and remembers that it should always use HTTPS for that website in future connections.
HSTS-preload allows web browsers to come with a known lists of websites supporting HSTS. Some of these websites don't have an HTTP version available at all.
In the current implementation of WebKit, we do none of this, and so sites that rely on HSTS preload are reachable only if you type https:// explicitly in the URL bar.
I'm not sure how it is done in WebKit, Curl appears to have support and I assume WebKit relies on that for the Curl network backend to some extent: https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
