Confirmed users
307
edits
SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List: Difference between revisions
SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List (view source)
Revision as of 18:13, 25 June 2019
, 25 June 2019update search string for treeherder links
(update esr52 -> esr60, fix some links with move to taskcluster/treeherder) |
(update search string for treeherder links) |
||
| Line 3: | Line 3: | ||
Every day, an automated job attempts to update the preload list in mozilla-central and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. | Every day, an automated job attempts to update the preload list in mozilla-central and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. | ||
The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js here]. Output from the automated job as run on each branch is available here: [https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&searchStr= | The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js here]. Output from the automated job as run on each branch is available here: [https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&searchStr=pfu mozilla-central] [https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr60&searchStr=pfu esr60] (scroll down until there's a line containing "pfu", click on that, then click on "live.log" in the pane that pops up). | ||
To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400. | To guard against accidentally dropping a host from the list due to intermittent network issues or an active attacker, if a host is already on the preload list in Firefox but cannot be reached, the script keeps it on the preload list. For a host to be removed from Firefox's preload list, it must be accessible when the update script runs and it must either not send a Strict-Transport-Security header or it must send the header with a max-age less than 10886400. | ||
The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated. | The preload list has a built-in expiration time that is 18 weeks from when the list was most recently updated. | ||