Add HSTS support #301
Add HSTS support #301
Conversation
|
|
||
| namespace Amp\Http\Client\Interceptor\Hsts; | ||
|
|
||
| class CombinationHstsJar implements HstsJar |
There was a problem hiding this comment.
Not sure if this would be a helpful thing to include - this would allow you to do something like CombinationHstsJar(InMemoryHstsJar, GooglePreloadHstsJar) to mimic standard browser behavior - anything on the preload list already would be promoted before you accessed it, but any new sites you access which advertise themselves as HSTS would be added to the jar.
|
|
||
| namespace Amp\Http\Client\Interceptor\Hsts; | ||
|
|
||
| final class GooglePreloadListJar extends ReadOnlyHstsJar |
There was a problem hiding this comment.
Reads from the Google preload list https://hstspreload.org/ - not an official standard but the de facto preload list for most browsers (Chrome, Firefox, Opera, Safari, IE 11+ and Edge)
|
|
||
| public function request(Request $request, Cancellation $cancellation, DelegateHttpClient $httpClient): Response | ||
| { | ||
| if ($request->getUri()->getScheme() === "http" && $this->hstsJar->test($request->getUri()->getHost())) { |
There was a problem hiding this comment.
Not sure if we have to test any other schemes than http here (ex. ws => wss)
| $hstsJar = new InMemoryHstsJar(); | ||
| $hstsJar->register("example.org"); | ||
| $this->assertTrue($hstsJar->test("example.org")); | ||
| // $this->givenApplicationInterceptor(new HstsInterceptor($hstsJar)); |
There was a problem hiding this comment.
Uncommenting this in makes the test never finish - because the HTTP server for InterceptorTest will not respond to an HTTPS request
|
Is there any chance of getting this merged into v5, or should this go into a separate project? |
|
This should go to a separate repo, as we might want to automate releases there with an updated preload list. I can create one so you can open the PR there. 😊 |
Closes #112
Not sure if this should go in a separate project like https://github.com/amphp/http-client-cookies but it is fairly well-contained. Note that I couldn't run the test with a full request because it auto-promotes to HTTPS (which is what we're testing here) and the interception test won't respond with HTTPS.