<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jan 12, 2014 at 3:18 PM, Yan Zhu <span dir="ltr"><<a href="mailto:yan@eff.org" target="_blank">yan@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
</div>Hey! Thanks for getting back on this. I'm on travel next week and<br>
might be slow to respond/merge stuff, but it'll happen! :)<br>
<br>
One quick comment:<br>
<div><br>
> 4. Code review comments regarding injecting STS. Chrome doesn't<br>
> have an API to edit STS records. We could inject STS headers but<br>
> this would be dangerous, since without a way to remove such<br>
> directives, sites that stop working with https would be broken<br>
> forever.<br>
><br>
<br>
</div>I mentioned this on Github, but you can nullify STS directives by<br>
injecting a STS header with max-age=0 into the response. Note that<br>
this doesn't actually remove the original STS directive from the<br>
database (at least not in Firefox).<br></blockquote><div><br></div><div>Ah yes, would could of course do this. The only concern is if we do, things become substantially more complicated. We have to handle these cases correctly:</div>
<div><br></div><div>1. site that used to be http, now should be https.</div><div>2. site that we previously added to https should now be http only.</div><div>3. site that itself set STS before, but had one of our rules removed.</div>
<div><br></div><div><br></div><div>In the current system, all of these are stateless: if there's a rule, then redirect, otherwise, don't.</div><div><br></div><div> If we start injecting STS without a way to query the current STS state, I'm not even sure we can do this correctly. (1) is obvious (we inject a header). (2) and (3) are much more problematic. We'll have to keep track of which sites we added STS directives for, versus which sites had their own STS directives. Then, every time we have new rules, we have to diff the old state against the new state, and remember to inject a max-age=0 header for those sites. This is very hard to get right, but what happens when a site pushes an STS header when our extension is disabled, then we add, then remove a directive? There's really no way for us to know if it's safe to remove the STS header. </div>
<div><br></div><div>Thus I think we shouldn't inject STS headers.</div>
</div></div></div>