x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

The-Compiler · 2020-10-29T21:57:01Z

When accessing http://golang.org, a redirect to HTTPS is made:

$ http http://golang.org
HTTP/1.1 302 Found
Content-Length: 42
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2020 21:47:40 GMT
Location: https://golang.org/
Via: 1.1 google

<a href="https://golang.org/">Found</a>.

When doing the same with http://tour.golang.org, no such redirect is happening:

$ http http://tour.golang.org
HTTP/1.1 200 OK
Cache-Control: private
Content-Encoding: gzip
Content-Length: 882
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2020 21:48:35 GMT
Server: Google Frontend
Strict-Transport-Security: max-age=31536000; preload
Vary: Accept-Encoding
X-Cloud-Trace-Context: 893d14db0c7307f3d2e69cf2094d46b5

<!doctype html>
<html lang="en" ng-app="tour">
[...]

On top of that, the website doesn't actually work when served via HTTP - it's blank and various errors are logged:

This isn't a problem for browsers which support HSTS Preloading - but for browsers/libraries which don't, this means the website will be broken (and not redirect to the proper HTTPS variant).

This can be reproduced in Firefox by starting it with a new profile (e.g. mkdir /tmp/ffprofile; firefox --profile /tmp/ffprofile),
opening about:config, setting network.stricttransportsecurity.preloadlist to false and then visiting tour.golang.org.

The text was updated successfully, but these errors were encountered:

dmitshur · 2020-10-30T20:03:47Z

Thanks for the report.

I've checked and this applies to {blog,talks}.golang.org as well.

All 3 are hosted on App Engine. This is a matter of configuring their respective app.yaml to set secure: always for all paths, as documented in the "App handlers" section here. This is very minor but nice to fix. I'll send CLs for this.

CC @golang/release, @golang/security.

gopherbot · 2020-10-30T20:22:25Z

Change https://golang.org/cl/266737 mentions this issue: blog: redirect HTTP traffic to HTTPS

gopherbot · 2020-10-30T22:17:46Z

Change https://golang.org/cl/266817 mentions this issue: tour: redirect HTTP traffic to HTTPS

gopherbot · 2020-10-30T22:21:12Z

Change https://golang.org/cl/266837 mentions this issue: talks: redirect HTTP traffic to HTTPS

Set secure to always on all handlers so that HTTP traffic is redirected to an HTTPS URL with the same path. References: • https://cloud.google.com/appengine/docs/standard/go/application-security#https_requests • https://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure For golang/go#42281. Change-Id: I2b86928d51d4e692d29ded1b244f3866c9b087e9 Reviewed-on: https://go-review.googlesource.com/c/blog/+/266737 Trust: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>

Set secure to always on all handlers so that HTTP traffic is redirected to an HTTPS URL with the same path. References: • https://cloud.google.com/appengine/docs/standard/go/application-security#https_requests • https://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure For golang/go#42281. Change-Id: Ic03e01d5858e1e5b8ae1b523ab34d970e1403ce0 Reviewed-on: https://go-review.googlesource.com/c/tour/+/266817 Trust: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>

Set secure to always on all handlers so that HTTP traffic is redirected to an HTTPS URL with the same path. References: • https://cloud.google.com/appengine/docs/standard/go/application-security#https_requests • https://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure For golang/go#42281. Change-Id: Id89fbcfe97df255173e87f0af4ec71f5238897dc Reviewed-on: https://go-review.googlesource.com/c/talks/+/266837 Trust: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>

dmitshur · 2020-11-07T03:28:36Z

This is fixed now.

Set secure to always on all handlers so that HTTP traffic is redirected to an HTTPS URL with the same path. References: • https://cloud.google.com/appengine/docs/standard/go/application-security#https_requests • https://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure For golang/go#42281. Change-Id: I2b86928d51d4e692d29ded1b244f3866c9b087e9 Reviewed-on: https://go-review.googlesource.com/c/blog/+/266737 Trust: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> X-Blog-Commit: da7da4462ca59a3ef64f17cd35d619fcf1d3c879

Set secure to always on all handlers so that HTTP traffic is redirected to an HTTPS URL with the same path. References: • https://cloud.google.com/appengine/docs/standard/go/application-security#https_requests • https://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure For golang/go#42281. Change-Id: Ic03e01d5858e1e5b8ae1b523ab34d970e1403ce0 Reviewed-on: https://go-review.googlesource.com/c/tour/+/266817 Trust: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> X-Tour-Commit: 59417492f03e0d55e544815ff163973cef919f67

gopherbot added this to the Unreleased milestone Oct 29, 2020

dmitshur changed the title ~~x/website: tour.golang.org is missing redirect to HTTPS~~ x/tour: tour.golang.org is missing redirect to HTTPS Oct 30, 2020

dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 30, 2020

dmitshur changed the title ~~x/tour: tour.golang.org is missing redirect to HTTPS~~ x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS Oct 30, 2020

dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Oct 30, 2020

dmitshur self-assigned this Oct 30, 2020

dmitshur closed this as completed Nov 7, 2020

golang locked and limited conversation to collaborators Nov 7, 2021

gopherbot added the FrozenDueToAge label Nov 7, 2021

rsc unassigned dmitshur Jun 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

The-Compiler commented Oct 29, 2020

dmitshur commented Oct 30, 2020 •

edited

gopherbot commented Oct 30, 2020

gopherbot commented Oct 30, 2020

gopherbot commented Oct 30, 2020

dmitshur commented Nov 7, 2020

x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

Comments

The-Compiler commented Oct 29, 2020

dmitshur commented Oct 30, 2020 • edited

gopherbot commented Oct 30, 2020

gopherbot commented Oct 30, 2020

gopherbot commented Oct 30, 2020

dmitshur commented Nov 7, 2020

dmitshur commented Oct 30, 2020 •

edited