httpweb-servicesbrowserhttpshsts

HSTS is redirecting from HTTP to HTTPS with a remote address on port 80


We are having a weird issue where sometimes the browser will decide to use port 80 for HTTPS.

The flow looks like this when it's not working (copied from network devtools):

Flow with port 80 as remote address

1st request:

    Request URL: http://app1.test/
    Request Method: GET
    Status Code: 307 Temporary Redirect
    Remote Address: :80

    Response headers
    Cross-Origin-Resource-Policy: Cross-Origin
    Location: https://app1.test/
    Non-Authoritative-Reason: HSTS

2nd request

Request URL: https://app1.test/
Request Method: GET
Status Code: 302 Found
Remote Address: 192.168.xxx.xxx:80

Response headers

cache-control: no-store
content-length: 1535
content-security-policy: frame-ancestors 'none'
content-type: text/html
date: Fri, 01 Jul 2022 12:04:03 GMT
location: https://***/mga/sps/oidc/rp/***/kickoff/***?authLevel=2&autologon=true&TAM_OP=login
p3p: CP="NON CUR OTPi OUR NOR UNI"
pragma: no-cache
Set-Cookie: wap-***-session-cookie=***; Domain=***.int; Path=/; SameSite=None; Secure; HttpOnly
Set-Cookie: PD-S-SESSION-ID-wap-oidc-int=***:1_2_0_6gpve0u3mSK+***|; Domain=.***.int; Path=/; SameSite=None; Secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1

This causes issues with our load balancer, as it hits a different endpoint.

Flow with working port 443

Often the flow will look like this with no issues:

Request URL: http://app1.test/
Request Method: GET
Status Code: 307 Internal Redirect
Referrer Policy: strict-origin-when-cross-origin

Response headers:

Cross-Origin-Resource-Policy: Cross-Origin
Location: https://app1.test/
Non-Authoritative-Reason: HSTS

And the 2nd request:

Request URL: https://app1.test/
Request Method: GET
Status Code: 302 Moved Temporarily
Remote Address: 192.168.xxx.xxx:443
Referrer Policy: strict-origin-when-cross-origin

Response headers:

cache-control: no-store
content-length: 1535
content-security-policy: frame-ancestors 'none'
content-type: text/html
date: Fri, 01 Jul 2022 13:19:21 GMT
location: https://***/mga/sps/oidc/rp/***/kickoff/***?authLevel=2&autologon=true&TAM_OP=login
p3p: CP="NON CUR OTPi OUR NOR UNI"
pragma: no-cache
Set-Cookie: wap-***-session-cookie=***; Domain=***.int; Path=/; SameSite=None; Secure; HttpOnly
Set-Cookie: PD-S-SESSION-ID-wap-oidc-int=***; Domain=.***.int; Path=/; SameSite=None; Secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1

Does someone know why the browser sometimes uses "Remote Address :80"?


Solution

  • Turns out it is in fact using port 443. I was looking at a HAR export from a colleague and there is a bug in Chromium:

    https://bugs.chromium.org/p/chromium/issues/detail?id=1334230