multiple HSTS-Headers create HSTS failure

Discussions about the development and maturation of the platform code (UXP).
Warning: may contain highly-technical topics.

Moderators: trava90, athenian200

User avatar
AndieM
Moongazer
Moongazer
Posts: 13
Joined: 2019-04-11, 14:49

multiple HSTS-Headers create HSTS failure

Unread post by AndieM » 2022-12-23, 16:13

Hi,
I think I found a bug in the code, that evaluates HSTS-Response-Headers.

OS: Windows + 2nd machine: Debian Linux
Version of Pale Moon: 64Bit, Desktop-Version, 31.4.1 (Win), 31.4.2 (Debian)

Description: If you visit a Website, that send at least 2 HSTS-Headers Pale Moon gets some kind of confused:
PM reports "Warning: Strict-Transport-Security: The site specified a header that could not be parsed successfully." in error console & dev-tools console.
In dev tools Network-Tab, if you inspect the specific request, it show a concatenation of these 2 headers by ", " - what defintely forms an invalid HSTS-Header

RFC 6797 (section 8.1, https://www.rfc-editor.org/rfc/rfc6797#section-8.1) states:
If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field.
Bugzilla bug number: Nothing clearly pointing towards this issue, maybe regarding the display in the developer-tools bug #1671964.

Steps to reproduce the problem:
Open a website, that sends multiple HSTS-Headers, e.g. https://www.globetrotter.de/
Check the dev-tools Network-Tab and the Error Console.
I get this header displayed (raw-mode):
strict-transport-security: max-age=31536000 ; includeSubDomains, max-age=31536000; includeSubDomains

A test with wget -d shows these response headers:

Code: Select all

[…]
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
vary: accept-encoding
Content-Encoding: gzip
Content-Language: de
Strict-Transport-Security: max-age=31536000; includeSubDomains
[…]
Expected result:
- PM parses only the first header
- The Domain is recorded as HSTS-Domain
- Not this error message ;-)
- Nice to have: A hint, that there where multiple HSTS-Headers
- The dev-tools show both headers

Actual result:
- According to the error message the site is not recorded as HSTS-Domain
- The dev-tools shows one wrong header, even in raw mode.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35405
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: multiple HSTS-Headers create HSTS failure

Unread post by Moonchild » 2022-12-23, 16:37

Thanks for the report.

Looks like we don't do anything to properly handle coalesced duplicate headers (where two instances of a header are comma-joined). Since the HSTS spec says "ignore all but the first header", it means to strip everything after a comma when parsing the header value.

Should be an easy fix to do.

Could you (or someone else if you don't want to do this) please file this as an issue in the UXP repo?

Of note: sending multiple HSTS headers is in violation of the HSTS spec (HSTS does not allow multiple headers to be sent and coalesced) so this would be cleanup of bad server configuration on our end. Technically, we're already doing the right thing by coalescing and then deciding the resulting header is invalid, but I'm OK with putting in this web compat workaround. There's a spec conflict here so we have to choose what is more important.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
AndieM
Moongazer
Moongazer
Posts: 13
Joined: 2019-04-11, 14:49

Re: multiple HSTS-Headers create HSTS failure

Unread post by AndieM » 2022-12-24, 23:47

Issue created: Issue #2070 (UXP)
(...a bit short in time, atm)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35405
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: multiple HSTS-Headers create HSTS failure

Unread post by Moonchild » 2022-12-25, 12:07

Was easy once researched. Solved.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
AndieM
Moongazer
Moongazer
Posts: 13
Joined: 2019-04-11, 14:49

Re: multiple HSTS-Headers create HSTS failure

Unread post by AndieM » 2022-12-26, 15:01

Thanks. :thumbup:

Locked