Enable HSTS to tell browsers to prefer HTTPS for code.jquery.com

[Krinkle]

This would solve:

• code.jquery.com produces different script tag based on how it is accessed #55
• update code.jquery.com to https demos.jquerymobile.com#19

Sub steps:

• Set Strict-Transport-Security: max-age=106384710; includeSubDomains; preload in our Nginx backend configuration as a header on our main content domains. Taking care to apply this both to responses generated via WordPress for pages on api.jquery.com and code.jquery.com, as well as static files served from codeorigin.jquery.com.
• Submit jquery.com to https://hstspreload.org/

[mgol]

For jquery-wp-content development we use Vagrant hosts at vagrant.real-domain, e.g. http://vagrant.api.jquery.com. So while it'd be good to have HSTS enabled for all jQuery domain, we need a plan for handling these Vagrant subdomains.

[mgol]

From my comment at #19 (comment): a redirect to HTTPS is one of prerequisites of adding a domain to the HSTS preload list as documented at https://hstspreload.org/. Judging by @Krinkle's comment at #19 (comment) it looks like we can enable HSTS but it will never be preloaded.

[Krinkle]

@Krinkle a redirect to HTTPS is one of prerequisites of adding a domain to the HSTS preload list as documented at https://hstspreload.org/. So it looks like we can enable HSTS but it will never be preloaded?

I'm not entirely sure yet. It might be. I think it might be possible so long as the apex domain (jquery.com) has a redirect, and/or so long as it redirects when the Upgrade-Insecure-Requests header is set on the incoming request; both of which we can safely do.

[mozfreddyb]

@mikewest Do you think you could figure out if there's a way to get the jquery code domains on Chromium's HSTS preload list by relaxing the "HTTP to HTTPS redirect" requirements, that are usually applied? This could be really useful and site-owners seem to be eager.
I'd be happy to investigate the Firefox side of things.

[mikewest]

The person I would have asked in Chrome isn't available; so, let me throw @devonobrien and @sleevi under the bus to see if they know who to talk to about exceptions to our HSTS policy.

[mgol]

Is the rule we're talking about now mostly making sure that the site is committed to HTTPS so that supporting HSTS, in theory, doesn't introduce a change in behavior but only makes it safer? Otherwise, this shouldn't interfere. Maybe we could, indeed, get an exception here. The jQuery CDN is used a lot so having HSTS enabled would improve overall Web security even if we don't enable a "regular" redirect to HTTPS.

[mozfreddyb]

Just noticed that Firefox code is technically able to force an inclusion regardless of current HTTPS status using a specific flag, e.g., if the Chromium list entry uses a specific policy value. Should be possible to use that very same mechanism (or a similar one). I'll start the conversation on our side, once this is progressing with on the other ends :)

[devonobrien]

@mikewest Yep, that's me; I now own our HSTS Policy and handle exception requests.

Currently, code.jquery.com doesn't meet a handful of preloading requirements, but we do have an exception for high-value domains [1], which provide an outsized security benefit to clients per entry compared to the vast majority of subdomains. This domain pretty clearly falls into this category, and we can add it to the preload list manually.

While it's clear that there are problems asserting includeSubDomains for jquery.com, could we still safely assert for code.jquery.com if we preloaded it directly? Also, to avoid the lengthy and painful process of removal from the preload list in the event of a problem, we strongly advise following a conservative deployment strategy for HSTS [2] before preloading to ensure that there will be no issues. Removals from the HSTS preload list can take up to 3 months to reach most clients.

[1] https://github.com/chromium/hstspreload.org/wiki/Preload-List-Processes#requirements-for-manual-hsts-entries
[2] https://hstspreload.org/?domain=code.jquery.com#deployment-recommendations