Confirmed users
307
edits
Privacy/Features/HSTS Preload List: Difference between revisions
Privacy/Features/HSTS Preload List (view source)
Revision as of 20:44, 7 September 2012
, 7 September 2012no edit summary
No edit summary |
No edit summary |
||
| Line 36: | Line 36: | ||
# Actually send the HSTS header | # Actually send the HSTS header | ||
# Have a max-age larger than or equal to 18 weeks (10886400) | # Have a max-age larger than or equal to 18 weeks (10886400) | ||
Additionally, whether or not to include subdomains will be based on the header the site actually sends, not the contents of Chrome's list. | |||
A tool is under development to automatically take Chrome's list and turn it into something our code can use. It will be an xpcshell script in security/manager/tools/getHSTSPreloadlist.js. To use it, simply run './path/to/xpcshell path/to/security/manager/tools/getHSTSPreloadList.js' (depending on your platform and environment, you may have to set the equivalent of LD_LIBRARY_PATH). After some network communication, the tool will say what sites from the list it did or did not include in the list. It will generate a file in the current directory called nsSTSPreloadList.inc. To update the preload list, this file should be placed in security/manager/boot/src/. | |||
|Feature implementation plan=* Create a mechanism to import a list of sites using HSTS into the permissions manager | |Feature implementation plan=* Create a mechanism to import a list of sites using HSTS into the permissions manager | ||
** This mechanism must also be able to remove HSTS sites from the permissions manager if necessary (details TBD) | ** This mechanism must also be able to remove HSTS sites from the permissions manager if necessary (details TBD) | ||