InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NoScript HTTPS Forcing When Not Forced

https://forums.informaction.com/viewtopic.php?t=11212

Page 1 of 1

NoScript HTTPS Forcing When Not Forced

Posted: Fri Dec 14, 2012 3:25 pm
by therube
NoScript HTTPS Forcing When Not Forced ?

http://blog.mozilla.org/labs/files/2011/03/do_not_fool_workflow.png

Code: Select all

[NoScript HTTPS] Forced URI https://blog.mozilla.org/labs/files/2011/03/do_not_fool_workflow.png
Similarly you can end up with Forced Channel.

https://blog.mozilla.org/labs/2011/04/protecting-users-from-an-age-old-threat/

Code: Select all

[NoScript HTTPS] Forced Channel https://blog.mozilla.org/labs/2011/04/protecting-users-from-an-age-old-threat/
Yet: noscript.httpsForced; ?

Now the http: does automatically roll over to https:, in Mozilla, Safe Mode, showing a "lock", but not colored.
But in IE the http: does load & when you attempt to load the https:, you get an security certificate warning with an option to load anyway, which it will do.

Re: NoScript HTTPS Forcing When Not Forced

Posted: Fri Dec 14, 2012 7:16 pm
by dhouwn
Strict Transport Security
  • max-age=15768000
  • includeSubDomains

Re: NoScript HTTPS Forcing When Not Forced

Posted: Sat Dec 15, 2012 12:04 am
by Thrawn
@dhouwn: Nice one :).

With all of our client-side tools, it's easy to forget that there are server-side protections too :D.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited