diff options
| author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-01-23 16:56:29 +0100 |
|---|---|---|
| committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-01-26 10:24:39 +0000 |
| commit | e0b55e8b1cdfea3dcb22b949632e4f5bcc200a76 (patch) | |
| tree | 99d482f4f9ed845527cd7e06ef07ec503154ba60 /src/network/access/qhttpnetworkconnection.cpp | |
| parent | fa15162700a18ff243de46954bb613988c199ce7 (diff) | |
Make our redirect policies STS-aware
This patch changes the way we ensure NoLessSafeRedirectsPolicy and
also the way we create actual redirect requests: https->http redirect
is now reported as InsecureRedirectError (under NoLessSafeRedirectsPolicy)
only if STS is disabled or we were redirected to a host whithout Strict
Transport Security policy.
Otherwise, we replace 'http' scheme with 'https' and explicitly set port
80 with port 443 as defined by HTTP Strict Transport Security policy.
This scheme/port replacement will affect both NoLessSafeRedirectsPolicy
and UserVerifiedRedirectsPolicy (SameOriginRedirectsPolicy does not allow
any scheme change and we continue to report such redirects as
InsecureRedirectError).
Change-Id: Ib370b830e5fb6a0fec503d6fa3a0dec771c4b741
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network/access/qhttpnetworkconnection.cpp')
| -rw-r--r-- | src/network/access/qhttpnetworkconnection.cpp | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/src/network/access/qhttpnetworkconnection.cpp b/src/network/access/qhttpnetworkconnection.cpp index 327eaf91bc..fd3cbbe36e 100644 --- a/src/network/access/qhttpnetworkconnection.cpp +++ b/src/network/access/qhttpnetworkconnection.cpp @@ -552,12 +552,11 @@ QUrl QHttpNetworkConnectionPrivate::parseRedirectResponse(QAbstractSocket *socke if (redirectUrl.scheme() == QLatin1String("http") || redirectUrl.scheme() == QLatin1String("https")) { switch (reply->request().redirectsPolicy()) { case QNetworkRequest::NoLessSafeRedirectsPolicy: - // Check if we're doing an unsecure redirect (https -> http) - if (priorUrl.scheme() == QLatin1String("https") - && redirectUrl.scheme() == QLatin1String("http")) { - emitReplyError(socket, reply, QNetworkReply::InsecureRedirectError); - return QUrl(); - } + // Here we could handle https->http redirects as InsecureProtocolError. + // However, if HSTS is enabled and redirectUrl.host() is a known STS + // host, then we'll replace its scheme and this won't downgrade protocol, + // after all. We cannot access QNAM's STS cache from here, so delegate + // this check to QNetworkReplyHttpImpl. break; case QNetworkRequest::SameOriginRedirectsPolicy: if (priorUrl.host() != redirectUrl.host() |