diff options
author | trav90 <travawine@palemoon.org> | 2018-06-05 22:23:30 -0500 |
---|---|---|
committer | trav90 <travawine@palemoon.org> | 2018-06-05 22:23:30 -0500 |
commit | a32e0cb8c787b42e78e6a2c977523eff866436ca (patch) | |
tree | d4810f290453669a4c702f9a276a1046b906c5bd /security/manager | |
parent | a421f38160599152cd409e4fabd434a224f78487 (diff) | |
download | UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar.gz UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar.lz UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.tar.xz UXP-a32e0cb8c787b42e78e6a2c977523eff866436ca.zip |
Update HSTS preload list generation script
Previous behavior: if an entry was in the previously-used list, and there would be an error connecting to or processing the host, it would adopt it using the previous status, with a new minimum required max age TTL.
New behavior: if an entry is in the previously-used list, and there is an error connecting to or processing the host, it will be dropped from the preload list.
The old behavior would allow entries to persist on the HSTS preload list when they drop off the 'net. Considering domain churn, it would cause issues for new owners for having a persisted HSTS entry preloaded in the browser.
Bonus: it keeps our HSTS preload list lean.
Diffstat (limited to 'security/manager')
-rw-r--r-- | security/manager/tools/getHSTSPreloadList.js | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js index 5b950f938..26fad8a89 100644 --- a/security/manager/tools/getHSTSPreloadList.js +++ b/security/manager/tools/getHSTSPreloadList.js @@ -261,16 +261,15 @@ function output(sortedStatuses, currentList) { for (let status in sortedStatuses) { // If we've encountered an error for this entry (other than the site not - // sending an HSTS header), be safe and don't remove it from the list - // (given that it was already on the list). + // sending an HSTS header), be safe and remove it from the list + // (preventing stale entries from accumulating). if (status.error != ERROR_NONE && status.error != ERROR_NO_HSTS_HEADER && status.error != ERROR_MAX_AGE_TOO_LOW && status.name in currentList) { - dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n"); + dump("INFO: error connecting to or processing " + status.name + " - dropping from list\n"); writeTo(status.name + ": " + errorToString(status) + "\n", eos); - status.maxAge = MINIMUM_REQUIRED_MAX_AGE; - status.includeSubdomains = currentList[status.name]; + status.maxAge = 0; } } |