Bugfix: HSTS Test

privacy-protections/storage-partitioning/helpers/common.js

@@ -1,15 +1,16 @@
-/* exported THIRD_PARTY_HTTP THIRD_PARTY_HTTPS FIRST_PARTY_SITE FIRST_PARTY_HTTP FIRST_PARTY_HTTPS accessStorageInIframe */
+/* exported THIRD_PARTY_HTTP THIRD_PARTY_HTTPS HSTS_HOSTNAME FIRST_PARTY_HTTP FIRST_PARTY_HTTPS accessStorageInIframe */
 const isLocalTest = window.location.hostname.endsWith('.example');
 
 const THIRD_PARTY_HOSTNAME = isLocalTest ? 'third-party.example' : 'good.third-party.site';
 const THIRD_PARTY_HTTP = isLocalTest ? `http://${THIRD_PARTY_HOSTNAME}:3000` : `http://${THIRD_PARTY_HOSTNAME}`;
 const THIRD_PARTY_HTTPS = `https://${THIRD_PARTY_HOSTNAME}`;
 
 const FIRST_PARTY_HOSTNAME = isLocalTest ? 'first-party.example' : 'www.first-party.site';
-const FIRST_PARTY_SITE = isLocalTest ? 'first-party.example' : 'first-party.site'; // eTLD+1
 const FIRST_PARTY_HTTP = isLocalTest ? `http://${FIRST_PARTY_HOSTNAME}:3000` : `http://${THIRD_PARTY_HOSTNAME}`;
 const FIRST_PARTY_HTTPS = `https://${FIRST_PARTY_HOSTNAME}`;
 
+const HSTS_HOSTNAME = isLocalTest ? 'hsts.first-party.example' : 'privacy-test-pages.glitch.me';
+
 // Inject an iframe to retrieve values from test APIs
 function accessStorageInIframe (frameOrigin, sessionId, mode, apiTypes = [], frameId) {
     return new Promise((resolve, reject) => {

privacy-protections/storage-partitioning/helpers/tests.js

@@ -5,7 +5,7 @@
  */
 
 /* exported testAPIs */
-/* globals FIRST_PARTY_SITE DB */
+/* globals HSTS_HOSTNAME DB */
 
 const timeout = 1000; // ms; used for cross-tab communication APIs
 
@@ -573,17 +573,17 @@ const testAPIs = {
         type: 'hsts',
         store: async () => {
             // Clear any current HSTS
-            const clearURL = new URL('/partitioning/clear_hsts.png', `https://hsts.${FIRST_PARTY_SITE}/`);
+            const clearURL = new URL('/partitioning/clear_hsts.png', `https://${HSTS_HOSTNAME}/`);
             await loadSubresource('img', clearURL.href);
 
             // Set HSTS
-            const setURL = new URL('/partitioning/set_hsts.png', `https://hsts.${FIRST_PARTY_SITE}/`);
+            const setURL = new URL('/partitioning/set_hsts.png', `https://${HSTS_HOSTNAME}/`);
             await loadSubresource('img', setURL.href);
         },
         retrieve: async () => {
             // Attempt to retrieve an image over HTTP
             // The retrieval will fail if not upgraded to HTTPS by the browser.
-            const getURL = new URL('/partitioning/get_hsts.png', `http://hsts.${FIRST_PARTY_SITE}/`);
+            const getURL = new URL('/partitioning/get_hsts.png', `http://${HSTS_HOSTNAME}/`);
             const event = await loadSubresource('img', getURL.href);
             if (event.type === 'load') {
                 return 'https';

privacy-protections/storage-partitioning/server/routes.js

@@ -92,6 +92,8 @@ router.get('/get_hsts.png', (req, res) => {
     let isHTTPS = req.protocol === 'https';
     // The X-Forwarded-Proto header is added by Glitch's proxy
     // and reveals the original protocol used during the connection
+    // This header will always show HTTPS for all custom domains,
+    // it's only correct for privacy-test-pages.glitch.me.
     if (req.headers['x-forwarded-proto']) {
         isHTTPS = req.headers['x-forwarded-proto'].split(',', 1)[0] === 'https';
     }