[websec] [Technical Errata Reported] RFC6797 (8153)

RFC Errata System <rfc-editor@rfc-editor.org> Fri, 18 October 2024 17:02 UTC

Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: websec@ietf.org
Delivered-To: websec@ietfa.amsl.com
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D8BAC081E37; Fri, 18 Oct 2024 10:02:22 -0700 (PDT)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id 9CFEC1BC14D; Fri, 18 Oct 2024 10:02:21 -0700 (PDT)
To: Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com, superuser@gmail.com, orie@transmute.industries, tobias.gondrom@gondrom.org, ynir.ietf@gmail.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20241018170221.9CFEC1BC14D@rfcpa.rfc-editor.org>
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-websec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: FY36SCYEFFKLOK3ILJFAFCR4MSHZGR52
X-Message-ID-Hash: FY36SCYEFFKLOK3ILJFAFCR4MSHZGR52
X-Mailman-Approved-At: Mon, 09 Dec 2024 18:31:31 -0800
CC: ericlaw@microsoft.com, websec@ietf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [websec] [Technical Errata Reported] RFC6797 (8153)
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/PGSdXV_PeFupA3VjxhsorMAEv5o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Owner: <mailto:websec-owner@ietf.org>
List-Post: <mailto:websec@ietf.org>
List-Subscribe: <mailto:websec-join@ietf.org>
List-Unsubscribe: <mailto:websec-leave@ietf.org>
Date: Fri, 18 Oct 2024 17:02:23 -0000
X-Original-Date: Fri, 18 Oct 2024 10:02:21 -0700 (PDT)

The following errata report has been submitted for RFC6797,
"HTTP Strict Transport Security (HSTS)".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8153

--------------------------------------
Type: Technical
Reported by: Eric Matthew Lawrence <ericlaw@microsoft.com>

Section: 8.1.1

Original Text
-------------
8.1.1.  Noting an HSTS Host - Storage Model

   If the substring matching the host production from the Request-URI
   (of the message to which the host responded) syntactically matches
   the IP-literal or IPv4address productions from Section 3.2.2 of
   [RFC3986], then the UA MUST NOT note this host as a Known HSTS Host.

   Otherwise, if the substring does not congruently match a Known HSTS
   Host's domain name, per the matching procedure specified in
   Section 8.2 ("Known HSTS Host Domain Name Matching"), then the UA
   MUST note this host as a Known HSTS Host, caching the HSTS Host's
   domain name and noting along with it the expiry time of this
   information, as effectively stipulated per the given max-age value,
   as well as whether the includeSubDomains directive is asserted or
   not.  See also Section 11.2 ("HSTS Policy Expiration Time
   Considerations").

   The UA MUST NOT modify the expiry time or the includeSubDomains
   directive of any superdomain matched Known HSTS Host.

   A Known HSTS Host is "expired" if its cache entry has an expiry date
   in the past.  The UA MUST evict all expired Known HSTS Hosts from its
   cache if, at any time, an expired Known HSTS Host exists in the
   cache.

Corrected Text
--------------
8.1.1.  Noting an HSTS Host - Storage Model

   If the substring matching the host production from the Request-URI
   (of the message to which the host responded) syntactically matches
   the IP-literal or IPv4address productions from Section 3.2.2 of
   [RFC3986], then the UA MUST NOT note this host as a Known HSTS Host.

   If the substring matching the host production from the Request-URI
   (of the message to which the host responded) syntactically matches
   the string "localhost" or ends with ".localhost", then the UA MAY
   choose not to note this host as a Known HSTS host.

   Otherwise, if the substring does not congruently match a Known HSTS
   Host's domain name, per the matching procedure specified in
   Section 8.2 ("Known HSTS Host Domain Name Matching"), then the UA
   MUST note this host as a Known HSTS Host, caching the HSTS Host's
   domain name and noting along with it the expiry time of this
   information, as effectively stipulated per the given max-age value,
   as well as whether the includeSubDomains directive is asserted or
   not.  See also Section 11.2 ("HSTS Policy Expiration Time
   Considerations").

   The UA MUST NOT modify the expiry time or the includeSubDomains
   directive of any superdomain matched Known HSTS Host.

   A Known HSTS Host is "expired" if its cache entry has an expiry date
   in the past.  The UA MUST evict all expired Known HSTS Hosts from its
   cache if, at any time, an expired Known HSTS Host exists in the
   cache.

Notes
-----
Localhost is already a secure context and unambiguously refers to the local machine, for which transport-level security is not required. Because multiple software packages from independent vendors commonly run on localhost (and web developers commonly use localhost for testing), but HSTS is applied to ALL ports on a given host, the setting of HSTS rules for localhost can cause unexpected and difficult to avoid functional errors.

Firefox does not apply HSTS to Localhost requests and a corresponding change is pending for Chromium (see https://crbug.com/41251622)

Instructions:
-------------
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--------------------------------------
RFC6797 (draft-ietf-websec-strict-transport-sec-14)
--------------------------------------
Title               : HTTP Strict Transport Security (HSTS)
Publication Date    : November 2012
Author(s)           : J. Hodges, C. Jackson, A. Barth
Category            : PROPOSED STANDARD
Source              : Web Security
Stream              : IETF
Verifying Party     : IESG