Comments (4)
konklone
commented on July 18, 2024
From a conversation prior, so it's recorded:
Many .gov sites will start to pull from dap.digitalgov.gov to reference the DAP's JavaScript site. Because it's a high-value target, the domain will enforce HTTPS and add HSTS headers. However, a couple HTTP sites who have embedded it used protocol-relative URLs, even though the site enforced HTTPS, because protocol-relative URLs are such common practice.
For a third party service with that high of a footprint in the federal government, allowing people to use insecure redirects (which would allow any network to trivially hijack requests) is a non-starter. The subdomain is new and hasn't been used before, so the ideal would be to shut off port 80 altogether. However, that's challenging for a CDN, which hosts many sites on the same IP addresses, to do.
A 403 error for all HTTP requests would not have met the standard set out in https.cio.gov, where HTTP should be used only for redirects. That requirement is helpful both to encourage secure behavior and make auditing simpler.
So, DAP is now combining a redirect with a 403, so that any HTTP request is redirected to HTTPS with a path of
/403/with a 403 status code. Requests that begin as HTTPS work as normal. This meets requirements, while also ensuring that agencies must use anhttps://URL to do the reference (or use a protocol-relative URL on an HTTPS site) for the reference to work and for data reporting to operate.So basically, this intentionally breaks protocol-relative URLs as a pattern that many (most) agencies can use for this JS file. Disabling port 80 would also have done this. For high-sensitivity domains whose URLs people aren't typing into their browser, and where there's no legacy use of HTTP to worry about, look at disabling HTTP, or a workaround like the above, as an option.
from frontend.
xtine
commented on July 18, 2024
https://pulse.cio.gov/https/guidance/
from frontend.
konklone
commented on July 18, 2024
@xtine I forget the full context of this thread, but the text I quoted above isn't contained in the link above.
from frontend.
xtine
commented on July 18, 2024
@konklone: In housekeeping of guild issues, I hastily closed this issue but I am following up on this now. I put the Pulse link as another resource of HTTPS guidance.
I'm not sure where this information should live as doesn't fit to be in the Front End Guide, but seems like knowledge we should have somewhere.
@meiqimichelle: any ideas?
from frontend.
Related Issues (20)
- Add output encoding section to security guide HOT 2
- Add same origin policy to security guide
- Add defensive programming section to security guide
- Include content security policy section on security guide HOT 3
- Truncated text in Vanilla JS subsection of Web Components chapter
- Remove Hound recommendation - replace with Code Climate? HOT 2
- Standardize on writing "JavaScript" or "Javascript"
- Footer links to old Federalist link
- Add React section HOT 1
- Audit guide content HOT 2
- Discuss whether the Libraries section in the guide is useful HOT 1
- Set up the glossary module to be continuously published to NPM
- Set up the accordion module to be continuously updated on NPM
- Should we move the Web Components section to a wiki page? HOT 1
- Crawl or survey 18F's GitHub projects to create a snapshot of front end tech in use HOT 1
- Link to other guides where applicable
- Link to wiki on guide HOT 2
- Revisit the distinction of Front End Design and Engineering roles
- Google Analytics not working HOT 1
- Rewrite Sass guidance to reflect deprecation of Ruby Sass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from frontend.