Comments (2)
However, this doesn't show up in pshtt at all, so there's no way to detect this kind of thing.
True! There are also other redirect techniques beyond meta redirects that pshtt currently can't recognize: for example, https://abcnews.go.com uses Javascript to downgrade HTTPS:
<script>
if (window.location.protocol == "https:" && window.parent.location.hostname.indexOf("outbrain") == -1) {
var _sslurl = window.location.href.replace("https://", "http://");
window.location.replace(_sslurl);
window.location.href = _sslurl;
}
</script>
I think the most comprehensive approach would be to use browser automation - "it's the only way to be sure." On the other hand, while that would make it easy to determine whether a site downgrades HTTPS or not, it wouldn't automatically help with the harder problem of determining why/how a site downgrades.
If you want to keep this issue specifically about meta redirects, let me know, and I'll move this comment to a dedicated issue about detecting JS redirects.
from pshtt.
The main reason I was considering meta redirects as possible is because in theory we should already have the HTML content from our requests to the site, and no more network activity is necessary. We'd only need to run an HTML parse operation on the retrieved content.
To do JS redirect detection would require (as you say) a headless browser, and potentially more network requests if the relevant JS is brought in via an external file and not an inline script. While HTML parsing isn't trivial, operating a headless browser and making arbitrary additional network requests is less appealing to me.
No worries on discussing it all in this issue, IMO.
from pshtt.
Related Issues (20)
- HSTS max-age discrepancy HOT 2
- Sometimes returns None for Valid HTTPS HOT 3
- Need more exhaustive check to determine if an HSTS header will be ignored HOT 2
- How should we handle HSTS headers and HTTP redirects in the redirect chain? HOT 2
- Incorrect calculation for "Enforces HTTPS" HOT 3
- Installation fails due to conflicting cryptography version HOT 6
- Sslyze version incompatibility HOT 2
- sslyze module error when attempting to run pshtt HOT 1
- Idea: Validate Certificate Transparency Logs
- Can't install latest version on python 3.8 HOT 1
- Skeletonize repository and standardize code formatting
- Redirecting to External Sites Causes Non-Compliance HOT 3
- Change the library used to access the public suffix list since the `publicsuffix` package is deprecated HOT 2
- Unable to install with PIP HOT 5
- Manual Pshtt Scanner Broken HOT 1
- Add support for Python 3.8 HOT 3
- Shift URL for transport_security_state_static.json for new location HOT 2
- Problems with hstspreload.org HOT 1
- Option to check a specific port, port pool, port range, or all ports
- setup-env is looking in limited places for pyenv-virtualenv HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pshtt.