NPAPI:HSTS

From MozillaWiki
Revision as of 00:25, 17 November 2011 by Thassloc (talk | contribs) (Created page with "== Status == Initial draft == Contributors == * Last modified: 16 Nov 2011 * Authors: Travis Hassloch (Adobe) == Overview == Plugins should be given the opportunity t...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Status

Initial draft

Contributors

 * Last modified: 16 Nov 2011
* Authors: Travis Hassloch (Adobe)

Overview

Plugins should be given the opportunity to take advantage of HSTS "notes" stored by the browser.

Specification

First, observe how HTTP redirect handling works: https://wiki.mozilla.org/NPAPI:HTTPRedirectHandling

This is the process by which a site transitions from HTTP to HTTPS, and only over HTTPS may it deliver a valid HSTS header. The point of this header is to skip the initial redirect.

If the browser vendors like this idea, then normal HTTP redirect handling can be used in the case where HSTS notes have recorded that the site wishes to be accessed over HTTPS only. In this case, the browser emulates the same functionality the site did at the time of first access, and this is the simplest (and fastest) implementation for plugins. Open question is whether it should be a 302, or some other redirect.

The backup proposal is a call to a plugin API, very similar to a redirect, only it is a strict notification (the only "safe" option is to honor it, or terminate - a plugin which knew about the HSTS stuff ahead of time in order to set up fancy processing should have just used a HTTPS link in the first place, presumably). 

void NPP_URLHSTSNotify(NPP instance, const char* url, int32_t status, void* notifyData);
  •  instance: The plug-in instance that made the request.
  •  url: The resolved strictly-ASCII URI for the redirect.
  •  notifyData: The plugin's private request data.
Retrieved from "https://wiki.allizom.org/index.php?title=NPAPI:HSTS&oldid=370429"