-
-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HSTS support #301
base: 5.x
Are you sure you want to change the base?
Add HSTS support #301
Conversation
|
||
namespace Amp\Http\Client\Interceptor\Hsts; | ||
|
||
class CombinationHstsJar implements HstsJar |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this would be a helpful thing to include - this would allow you to do something like CombinationHstsJar(InMemoryHstsJar, GooglePreloadHstsJar)
to mimic standard browser behavior - anything on the preload list already would be promoted before you accessed it, but any new sites you access which advertise themselves as HSTS would be added to the jar.
|
||
namespace Amp\Http\Client\Interceptor\Hsts; | ||
|
||
final class GooglePreloadListJar extends ReadOnlyHstsJar |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reads from the Google preload list https://hstspreload.org/ - not an official standard but the de facto preload list for most browsers (Chrome, Firefox, Opera, Safari, IE 11+ and Edge)
|
||
public function request(Request $request, Cancellation $cancellation, DelegateHttpClient $httpClient): Response | ||
{ | ||
if ($request->getUri()->getScheme() === "http" && $this->hstsJar->test($request->getUri()->getHost())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if we have to test any other schemes than http here (ex. ws => wss)
$hstsJar = new InMemoryHstsJar(); | ||
$hstsJar->register("example.org"); | ||
$this->assertTrue($hstsJar->test("example.org")); | ||
// $this->givenApplicationInterceptor(new HstsInterceptor($hstsJar)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uncommenting this in makes the test never finish - because the HTTP server for InterceptorTest will not respond to an HTTPS request
Is there any chance of getting this merged into v5, or should this go into a separate project? |
This should go to a separate repo, as we might want to automate releases there with an updated preload list. I can create one so you can open the PR there. 😊 |
Closes #112
Not sure if this should go in a separate project like https://github.com/amphp/http-client-cookies but it is fairly well-contained. Note that I couldn't run the test with a full request because it auto-promotes to HTTPS (which is what we're testing here) and the interception test won't respond with HTTPS.