undefined | Better HN

0 pointshn_throwaway_991y ago0 comments

I think the original question "Okay.. does nodejs fetch respect HSTS?" goes into the "not even wrong" bucket, for the reasons you point out.

HSTS really only makes sense from a browser perspective (or, rather, a "permanently installed, stateful client" perspective). For an API like fetch it doesn't even make sense as a question IMO.

0 comments

Aachen1y ago

I would say it does make sense as a nice upgrade path for services that don't yet support https but you'd like to switch as soon as they enable it, or if you're forgetful or lazy and didn't type https:// in front of the link you were given or so

Whether that's still common enough to warrant the extra complexity in the fetch function is not something I'm qualified to judge

moralestapia1y ago

>For an API like fetch it doesn't even make sense as a question IMO.

Why not?

hn_throwaway_99OP1y ago

Because the way HSTS works fundamentally implies a stateful client, and because it was fundamentally created to solve a human problem (i.e. humans entering in URLs directly in the address bar). It really doesn't make sense with a non-stateful client, and it isn't intended for cases where someone isn't manually entering in the URL to hit.

E.g. fetch is often loaded in transient situations - it really shouldn't be updating its own config because of responses it gets. Also, based on the other comment I was originally thinking it would be good if fetch would just error out if it gets a redirect from http -> https AND also a Strict-Transport-Security header, but in that case it would still mean it was dependent on the server setting up the STS header, and if they could do that they should just go ahead and get rid of the http -> https redirect in the first place.

moralestapia1y ago

I agree with you on things like CORS, but HSTS would actually solve the problem stated in this thread quite gracefully.

Client fetches http, notices the header, retries https then ... ok no, lol. But I guess it's still of some use to let clients know "this should always happen through https" and make them fail if that's not the case.

Edit: yeah I got it, client fetches http, notices the header and then explicitly fails because HSTS is there.

j / k navigate · click thread line to collapse

0 comments

Aachen1y ago

Whether that's still common enough to warrant the extra complexity in the fetch function is not something I'm qualified to judge

moralestapia1y ago

>For an API like fetch it doesn't even make sense as a question IMO.

Why not?

hn_throwaway_99OP1y ago

moralestapia1y ago

I agree with you on things like CORS, but HSTS would actually solve the problem stated in this thread quite gracefully.

Edit: yeah I got it, client fetches http, notices the header and then explicitly fails because HSTS is there.

j / k navigate · click thread line to collapse