Confirmed users
308
edits
SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List: Difference between revisions
SecurityEngineering/HTTP Strict Transport Security (HSTS) Preload List (view source)
Revision as of 19:27, 27 March 2017
, 27 March 2017the automated job now runs every day
(some reorganization, add update output for other branches) |
(the automated job now runs every day) |
||
| Line 1: | Line 1: | ||
Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - [https://tools.ietf.org/html/rfc6797 see RFC 6797]) by default. This list is based on [https://www.chromium.org/hsts/ a list Chromium maintains]. The versions of the list as it exists in the various channels of Firefox are available here: [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-central] [https://hg.mozilla.org/releases/mozilla-aurora/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-aurora] [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-beta] [https://hg.mozilla.org/releases/mozilla-release/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-release] [https://hg.mozilla.org/releases/mozilla-esr45/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-esr45]. | Firefox ships with a list of hosts that are considered HTTP Strict Transport Security (HSTS - [https://tools.ietf.org/html/rfc6797 see RFC 6797]) by default. This list is based on [https://www.chromium.org/hsts/ a list Chromium maintains]. The versions of the list as it exists in the various channels of Firefox are available here: [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-central] [https://hg.mozilla.org/releases/mozilla-aurora/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-aurora] [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-beta] [https://hg.mozilla.org/releases/mozilla-release/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-release] [https://hg.mozilla.org/releases/mozilla-esr45/file/tip/security/manager/ssl/nsSTSPreloadList.inc mozilla-esr45]. | ||
Every day, an automated job attempts to update the preload list in mozilla-central, mozilla-aurora, and mozilla-esr. This involves running an xpcshell script that makes an https request to each candidate host on the list. If xpcshell can connect successfully to a host and receives a "Strict-Transport-Security" header with a max-age value of at least 10886400 (18 weeks in seconds), that host is included in the list (the "preload" directive is ignored). If xpcshell cannot connect successfully to a host or does not receive an appropriate header, that host is not included in the preload list. A corresponding entry in [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.errors this file] may help in determining the underlying error. | |||
The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/tools/getHSTSPreloadList.js here]. Output from the automated job as run on each branch is available here: [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/ mozilla-central] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64/ mozilla-aurora] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-esr45-linux64/ mozilla-esr45] (search for "periodicupdate"). | The xpcshell script is [https://hg.mozilla.org/mozilla-central/file/tip/security/manager/tools/getHSTSPreloadList.js here]. Output from the automated job as run on each branch is available here: [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64/ mozilla-central] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64/ mozilla-aurora] [https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-esr45-linux64/ mozilla-esr45] (search for "periodicupdate"). | ||