Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(169)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 764473002: Rewrite HTTP requests over port 443 to HTTPS (in the HSTS code). (Closed)

Created:
6 years ago by lgarron
Modified:
6 years ago
Reviewers:
CC:
cbentzel+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Project:
chromium
Visibility:
Public.

Description

Rewrite HTTP requests over port 443 to HTTPS (in the HSTS code). From https://crbug.com/436451: "If we ask Chrome to load http://example.com:443, it will definitely fail, because Chrome will make plain-text HTTP request to port 443 of the server. However, if example.com is a Known HSTS Host of Chrome (meaning either the user has visited https://example.com before, or it is on the HSTS preload list), it will send request to https://example.com:443, and the request will succeed. We can use JavaScript to differentiate the two cases, since in the first case, onerror event is triggered, while in the second case, onload event is triggered. Therefore, a malicious website can include well-chosen cross-domain images and use this trick to brute-force a list of domains that users have visited. Note that the list could only contain HSTS-enabled but not preloaded websites."" BUG=436451

Patch Set 1 #

Patch Set 2 : Consistent variable names. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+8 lines, -1 line) Patch
M net/url_request/url_request.cc View 1 1 chunk +8 lines, -1 line 0 comments Download

Messages

Total messages: 1 (0 generated)
lgarron
6 years ago (2014-12-11 05:25:44 UTC) #1
Message was sent while issue was closed. 
Note: this was an experiment to see how easily we could rewrite requests on port
443 to HTTPS. It is not complete, and was never meant to be committed.

Powered by Google App Engine
This is Rietveld 408576698