Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

Closed
The-Compiler opened this issue Oct 29, 2020 · 5 comments
Closed

x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS #42281

The-Compiler opened this issue Oct 29, 2020 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@The-Compiler
Copy link

When accessing http://golang.org, a redirect to HTTPS is made:

$ http http://golang.org
HTTP/1.1 302 Found
Content-Length: 42
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2020 21:47:40 GMT
Location: https://golang.org/
Via: 1.1 google

<a href="https://golang.org/">Found</a>.

When doing the same with http://tour.golang.org, no such redirect is happening:

$ http http://tour.golang.org
HTTP/1.1 200 OK
Cache-Control: private
Content-Encoding: gzip
Content-Length: 882
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2020 21:48:35 GMT
Server: Google Frontend
Strict-Transport-Security: max-age=31536000; preload
Vary: Accept-Encoding
X-Cloud-Trace-Context: 893d14db0c7307f3d2e69cf2094d46b5

<!doctype html>
<html lang="en" ng-app="tour">
[...]

On top of that, the website doesn't actually work when served via HTTP - it's blank and various errors are logged:

image

This isn't a problem for browsers which support HSTS Preloading - but for browsers/libraries which don't, this means the website will be broken (and not redirect to the proper HTTPS variant).

This can be reproduced in Firefox by starting it with a new profile (e.g. mkdir /tmp/ffprofile; firefox --profile /tmp/ffprofile),
opening about:config, setting network.stricttransportsecurity.preloadlist to false and then visiting tour.golang.org.
@gopherbot gopherbot added this to the Unreleased milestone Oct 29, 2020
@dmitshur dmitshur changed the title x/website: tour.golang.org is missing redirect to HTTPS x/tour: tour.golang.org is missing redirect to HTTPS Oct 30, 2020
@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 30, 2020
@dmitshur dmitshur changed the title x/tour: tour.golang.org is missing redirect to HTTPS x/blog, x/tour, x/talks: {blog,tour,talks}.golang.org are missing redirect from HTTP to HTTPS Oct 30, 2020
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Oct 30, 2020
@dmitshur dmitshur self-assigned this Oct 30, 2020
@dmitshur
Copy link
Contributor

dmitshur commented Oct 30, 2020
edited
Loading

Thanks for the report.

I've checked and this applies to {blog,talks}.golang.org as well.

All 3 are hosted on App Engine. This is a matter of configuring their respective app.yaml to set secure: always for all paths, as documented in the "App handlers" section here. This is very minor but nice to fix. I'll send CLs for this.

CC @golang/release, @golang/security.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/266737 mentions this issue: blog: redirect HTTP traffic to HTTPS

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/266817 mentions this issue: tour: redirect HTTP traffic to HTTPS

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/266837 mentions this issue: talks: redirect HTTP traffic to HTTPS

gopherbot pushed a commit to golang/blog that referenced this issue Nov 6, 2020
@dmitshur
blog: redirect HTTP traffic to HTTPS
da7da44 
Set secure to always on all handlers so that HTTP traffic
is redirected to an HTTPS URL with the same path.

References:

•	https://cloud.google.com/appengine/docs/standard/go/application-security#https_requestshttps://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure

For golang/go#42281.

Change-Id: I2b86928d51d4e692d29ded1b244f3866c9b087e9
Reviewed-on: https://go-review.googlesource.com/c/blog/+/266737
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
gopherbot pushed a commit to golang/tour that referenced this issue Nov 6, 2020
@dmitshur
tour: redirect HTTP traffic to HTTPS
5941749 
Set secure to always on all handlers so that HTTP traffic
is redirected to an HTTPS URL with the same path.

References:

•	https://cloud.google.com/appengine/docs/standard/go/application-security#https_requestshttps://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure

For golang/go#42281.

Change-Id: Ic03e01d5858e1e5b8ae1b523ab34d970e1403ce0
Reviewed-on: https://go-review.googlesource.com/c/tour/+/266817
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
gopherbot pushed a commit to golang/talks that referenced this issue Nov 7, 2020
@dmitshur
talks: redirect HTTP traffic to HTTPS
0327d39 
Set secure to always on all handlers so that HTTP traffic
is redirected to an HTTPS URL with the same path.

References:

•	https://cloud.google.com/appengine/docs/standard/go/application-security#https_requestshttps://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure

For golang/go#42281.

Change-Id: Id89fbcfe97df255173e87f0af4ec71f5238897dc
Reviewed-on: https://go-review.googlesource.com/c/talks/+/266837
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@dmitshur
Copy link
Contributor

dmitshur commented Nov 7, 2020

This is fixed now.

@dmitshur dmitshur closed this as completed Nov 7, 2020
gopherbot pushed a commit to golang/website that referenced this issue May 26, 2021
@dmitshur
[x/blog] blog: redirect HTTP traffic to HTTPS
13c0aa6 
Set secure to always on all handlers so that HTTP traffic
is redirected to an HTTPS URL with the same path.

References:

•	https://cloud.google.com/appengine/docs/standard/go/application-security#https_requestshttps://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure

For golang/go#42281.

Change-Id: I2b86928d51d4e692d29ded1b244f3866c9b087e9
Reviewed-on: https://go-review.googlesource.com/c/blog/+/266737
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
X-Blog-Commit: da7da4462ca59a3ef64f17cd35d619fcf1d3c879
gopherbot pushed a commit to golang/website that referenced this issue May 26, 2021
@dmitshur
[x/tour] tour: redirect HTTP traffic to HTTPS
ab3756d 
Set secure to always on all handlers so that HTTP traffic
is redirected to an HTTPS URL with the same path.

References:

•	https://cloud.google.com/appengine/docs/standard/go/application-security#https_requestshttps://cloud.google.com/appengine/docs/standard/go/config/appref#handlers_secure

For golang/go#42281.

Change-Id: Ic03e01d5858e1e5b8ae1b523ab34d970e1403ce0
Reviewed-on: https://go-review.googlesource.com/c/tour/+/266817
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
X-Tour-Commit: 59417492f03e0d55e544815ff163973cef919f67
@golang golang locked and limited conversation to collaborators Nov 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@The-Compiler @dmitshur @gopherbot