[websec] Safari restrictions to HSTS
John Wilander <wilander@apple.com> Tue, 30 January 2018 21:51 UTC
Return-Path: <wilander@apple.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E181309F4 for <websec@ietfa.amsl.com>; Tue, 30 Jan 2018 13:51:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeLMMaUlc_M2 for <websec@ietfa.amsl.com>; Tue, 30 Jan 2018 13:51:47 -0800 (PST)
Received: from mail-in24.apple.com (mail-out24.apple.com [17.171.2.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C07AE131101 for <websec@ietf.org>; Tue, 30 Jan 2018 13:51:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1517349106; x=2381262706; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=0JfYyI5XVEmYrJs7nhm0rnu9WAmiSlCnppukiPuQmzQ=; b=sjGouyVtWq4Z+v8t22x2rly6wmOffuQRpFHXHb0hISpaSvA8DxiN82qletu88QY2 f8vPpXhp8RkUTuNIOpVmLY1Uq06E3Cp0KeEh6/oNAQOuCmylSbqdEl1L8BZQGwQd 4wh/yLrdjSc26usPnNU/DMMnm1NQ6a4/+i/C97OrTX7P+ZP2L6RBbqspriR5Ivh/ KtCwnskWr2ALvNBa/qEaV9y8MFAvj1Mj7c8L94k395JDgyugX4wqCBpUqG5pt5AO pkNwwArQ/KPRHchvNBHgjZH4VQaxSrPh1KUbBnVgdWSS1bSwOqnt9whV5KC62TvO 1a108sSaVHQ/u4Hj+7OzqA==;
Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in24.apple.com (Apple Secure Mail Relay) with SMTP id 8C.C9.10828.2F8E07A5; Tue, 30 Jan 2018 13:51:46 -0800 (PST)
X-AuditID: 11ab0218-260a89e000002a4c-ec-5a70e8f2fec1
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by relay8.apple.com (Apple SCV relay) with SMTP id 50.4E.22651.2F8E07A5; Tue, 30 Jan 2018 13:51:46 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_XNJwh7xvKnfyzJ9pDgzPoQ)"
Received: from [17.202.48.94] (unknown [17.202.48.94]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.1.20180104 64bit (built Jan 4 2018)) with ESMTPSA id <0P3E008N622ATL90@nwk-mmpp-sz09.apple.com> for websec@ietf.org; Tue, 30 Jan 2018 13:51:46 -0800 (PST)
Sender: wilander@apple.com
From: John Wilander <wilander@apple.com>
Message-id: <F37486C4-5443-46EE-A2FE-8B3A4579AE62@apple.com>
Date: Tue, 30 Jan 2018 13:51:45 -0800
To: websec@ietf.org
X-Mailer: Apple Mail (2.3445.6.7)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrKLMWRmVeSWpSXmKPExsUi2FCYpvvpRUGUwfO7Vhan5y1mdWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxonblxkL5stVPNl6lLGBcb5UFyMnh4SAicTNC33sXYxcHEIC a5kkepr2s8IkZu6/wAyROMgo8XHpdTaQBK+AoMSPyfdYQGxmgTCJL+8ms0IULWaS2DttDztI QlhASuL6tM9MIDabgIbEilUL2CDiKhLLny4GauAAGmQj8eMMN0iYRUBVYsPhDnaQsIiAsMTi LzUQNyhKND/5BDZeQuApq8Tab3PZJjDyz0JyxiwkZ8wCamcWUJeYMiUXIqwt8eTdBVYIW01i 4e9FTMjiCxjZVjEK5yZm5uhm5hmZ6CUWFOSk6iXn525iBIXraiaJHYxfXhseYhTgYFTi4eWo KIgSYk0sK67MPcQozcGiJM4bqZwVJSSQnliSmp2aWpBaFF9UmpNafIiRiYNTqoFx1n6e7n+n jacEGCRdW78ms78m+2XRyodHRb7y3le4E5I+R0bFfOmKx+kasVwnTgYGc6hF7xSwVVHq2V0a /XHeX0chS0uJVaKrhZYnzFe5nfvmFevarj0P7pYrPXP1Uu4TM7Rp+JvIGSs0x+pDpfqsz0sn /HrEu/N5bkrbaxkWqUpx12XM87OUWIozEg21mIuKEwES+be3OAIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOLMWRmVeSWpSXmKPExsUi2FAcoPvpRUGUwabNWhan5y1mdWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxonblxkL5stVPNl6lLGBcb5UFyMnh4SAicTM/ReYuxi5OIQE DjJKfFx6nQ0kwSsgKPFj8j0WEJtZIEziy7vJrBBFi5kk9k7bww6SEBaQkrg+7TMTiM0moCGx YtUCNoi4isTyp4uBGjiABtlI/DjDDRJmEVCV2HC4gx0kLCIgLLH4Sw3EDYoSzU8+sU5g5JmF ZPMsJJtnAXUwC6hLTJmSCxHWlnjy7gIrhK0msfD3IiZk8QWMbKsYBYpScxIrLfQSCwpyUvWS 83M3MYKDqzBtB2PTcqtDjAIcjEo8vBwVBVFCrIllxZW5hxglOJiVRHhFVudHCfGmJFZWpRbl xxeV5qQWH2KU5mBREud9xZMbJSSQnliSmp2aWpBaBJNl4uCUamAsz8lPdA9LVMrf2fize3Xa qTPSsYcerniZcdvnis9lpwttSeX+/o0dGyff6b379Pn2mNV1J1+IFtRPb1P6qM3BnS7eVhOw uGljjciJhDm3n7wpmK72+XlwwVbV2QdN7/BM9z+ukMzkw3ahzVst+XbGukeZv3zPxurM6DJt nezXe1hcL9E+86ISS3FGoqEWc1FxIgAeMKp7KgIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE>
X-Mailman-Approved-At: Mon, 05 Feb 2018 08:08:26 -0800
Subject: [websec] Safari restrictions to HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 21:53:38 -0000
Hi WebSec @ IETF! My name is John Wilander and I’m a security engineer on Apple’s WebKit team. WebKit, and thus our browser Safari, has some special rules for (non-preload) HSTS to mitigate HSTS super cookies. I’m sending over the details in case you want to augment the HSTS specification. Basic rule: Only allow first parties to set HSTS. If it’s a response to a top frame load that has an HSTS header, it is obviously the first party so that's automatically handled. If it’s a response to a subresource request, it gets more interesting. As of our latest releases, we only allow the current first-party domain and its eTLD+1 (formally public suffix + 1) to set HSTS in subresource responses. Example: Say you have loaded a page from https://sub.domain.example.com <https://sub.domain.example.com/>. A response to a subresource request on that page may set HSTS for: sub.domain.example.com <http://sub.domain.example.com/> and example.com <http://example.com/> It may not set HSTS for: some.sub.domain.example.com <http://some.sub.domain.example.com/>, domain.example.com <http://domain.example.com/>, or other.org <http://other.org/> Kind regards, John Wilander
- [websec] Safari restrictions to HSTS John Wilander
- Re: [websec] Safari restrictions to HSTS Lucas Garron