Discussion:
[chromium-discuss] http://www.gstatic.com/generate_204 error and hsts
Chris KD
2018-09-17 09:51:51 UTC
Permalink
Hi team,

As per *google_chrome_privacy, ''**Chrome will make a
cookieless request to http://www.gstatic.com/generate_204 and check the
response code. If that request is redirected, Chrome will open the redirect
target in a new tab on the assumption that it's a login page''.*

*However, as per **https://www.chromium.org/hsts ---- ''*An HSTS enabled
server can include the following header in an HTTPS reply:

Strict-Transport-Security: max-age=16070400; includeSubDomains

When the browser sees this, it will remember, for the given number of
seconds, that the current domain should only be contacted over HTTPS. In
the future, if the user types http:// or omits the scheme, HTTPS is the
default. In fact, all requests for URLs in the current domain will be
redirected to HTTPS.''


*Question is,* if there is a ''h*ttp://www.gstatic.com/generate_204'' URL
generated by Chrome and if there is a cookie for an HTTPS site that i'm
trying to access, would HSTS get triggered ?*

*Regards, *

*Chris*
--
--
Chromium Discussion mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+***@chromium.org.
PhistucK
2018-09-17 10:12:45 UTC
Permalink
I assume this specific request does not go through the HTTP Strict
Transport Security handling. Have you tried?

This looks like the code for handling this feature -
https://cs.chromium.org/chromium/src/components/captive_portal/captive_portal_detector.cc?q=generate_204&sq=package:chromium&g=0&l=91

☆*PhistucK*
Post by Chris KD
Hi team,
As per *google_chrome_privacy, ''**Chrome will make a
cookieless request to http://www.gstatic.com/generate_204
<http://www.gstatic.com/generate_204> and check the response code. If that
request is redirected, Chrome will open the redirect target in a new tab on
the assumption that it's a login page''.*
*However, as per **https://www.chromium.org/hsts
<https://www.chromium.org/hsts> ---- ''*An HSTS enabled server can
Strict-Transport-Security: max-age=16070400; includeSubDomains
When the browser sees this, it will remember, for the given number of
seconds, that the current domain should only be contacted over HTTPS. In
the future, if the user types http:// or omits the scheme, HTTPS is the
default. In fact, all requests for URLs in the current domain will be
redirected to HTTPS.''
*Question is,* if there is a ''h*ttp://www.gstatic.com/generate_204
<http://www.gstatic.com/generate_204>'' URL generated by Chrome and if
there is a cookie for an HTTPS site that i'm trying to access, would HSTS
get triggered ?*
*Regards, *
*Chris*
--
--
http://groups.google.com/a/chromium.org/group/chromium-discuss
---
You received this message because you are subscribed to the Google Groups
"Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an
--
--
Chromium Discussion mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+***@chromium.org.
Loading...