I think I found a bug in the code, that evaluates HSTS-Response-Headers.
OS: Windows + 2nd machine: Debian Linux
Version of Pale Moon: 64Bit, Desktop-Version, 31.4.1 (Win), 31.4.2 (Debian)
Description: If you visit a Website, that send at least 2 HSTS-Headers Pale Moon gets some kind of confused:
PM reports "Warning: Strict-Transport-Security: The site specified a header that could not be parsed successfully." in error console & dev-tools console.
In dev tools Network-Tab, if you inspect the specific request, it show a concatenation of these 2 headers by ", " - what defintely forms an invalid HSTS-Header
RFC 6797 (section 8.1, https://www.rfc-editor.org/rfc/rfc6797#section-8.1) states:
Bugzilla bug number: Nothing clearly pointing towards this issue, maybe regarding the display in the developer-tools bug #1671964.If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field.
Steps to reproduce the problem:
Open a website, that sends multiple HSTS-Headers, e.g. https://www.globetrotter.de/
Check the dev-tools Network-Tab and the Error Console.
I get this header displayed (raw-mode):
strict-transport-security: max-age=31536000 ; includeSubDomains, max-age=31536000; includeSubDomains
A test with wget -d shows these response headers:
Code: Select all
[…]
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
vary: accept-encoding
Content-Encoding: gzip
Content-Language: de
Strict-Transport-Security: max-age=31536000; includeSubDomains
[…]
- PM parses only the first header
- The Domain is recorded as HSTS-Domain
- Not this error message
- Nice to have: A hint, that there where multiple HSTS-Headers
- The dev-tools show both headers
Actual result:
- According to the error message the site is not recorded as HSTS-Domain
- The dev-tools shows one wrong header, even in raw mode.