Geoff Buesing
2013-Jun-23 20:37 UTC
ActionDispatch::SSL adding STS headers to non-secure redirect responses
Trying to reconcile the following: ActionDispatch::SSL adds Strict-Transport-Security headers to all responses, including non-secure redirect-to-https responses... however, the STS spec explicitly says: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport." http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2 I''m not an expert on HSTS, but it sounds like ActionDispatch::SSL is violating the spec when it adds STS to redirect responses. Is this for a reason? I have no evidence or reason to believe that this is causing any bugs or security issues. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
Michael Koziarski
2013-Jun-23 23:02 UTC
Re: ActionDispatch::SSL adding STS headers to non-secure redirect responses
On 24/06/2013, at 8:37 AM, Geoff Buesing <gbuesing@gmail.com> wrote:> Trying to reconcile the following: > > ActionDispatch::SSL adds Strict-Transport-Security headers to all responses, including non-secure redirect-to-https responses... > > however, the STS spec explicitly says: > > "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport." > > http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2 > > I''m not an expert on HSTS, but it sounds like ActionDispatch::SSL is violating the spec when it adds STS to redirect responses. Is this for a reason?Likewise I''m not an HSTS expert, and can''t see any security implications of it as the header itself only contains non-sensitive information. I''d suggest opening up a pull request to fix it, it''s only going to be half a line or so, and perhaps someone can chime in there.> I have no evidence or reason to believe that this is causing any bugs or security issues. > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > >
Geoff Buesing
2013-Jun-24 14:49 UTC
Re: ActionDispatch::SSL adding STS headers to non-secure redirect responses
Pull request is here https://github.com/rails/rails/pull/11065 On Sun, Jun 23, 2013 at 6:02 PM, Michael Koziarski <michael@koziarski.com>wrote:> > On 24/06/2013, at 8:37 AM, Geoff Buesing <gbuesing@gmail.com> wrote: > > Trying to reconcile the following: > > ActionDispatch::SSL adds Strict-Transport-Security headers to all > responses, including non-secure redirect-to-https responses... > > however, the STS spec explicitly says: > > "An HSTS Host MUST NOT include the STS header field in HTTP responses > conveyed over non-secure transport." > > > http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-7.2 > > I''m not an expert on HSTS, but it sounds like ActionDispatch::SSL is > violating the spec when it adds STS to redirect responses. Is this for a > reason? > > > Likewise I''m not an HSTS expert, and can''t see any security implications > of it as the header itself only contains non-sensitive information. I''d > suggest opening up a pull request to fix it, it''s only going to be half a > line or so, and perhaps someone can chime in there. > > I have no evidence or reason to believe that this is causing any bugs or > security issues. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscribe@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.