[Falkon] [Bug 507078] New: Support lookup of HTTP Strict Transport Security (HSTS) Preloaded domains

Shimi bugzilla_noreply at kde.org
Tue Jul 15 20:39:58 BST 2025 

https://bugs.kde.org/show_bug.cgi?id=507078

            Bug ID: 507078
           Summary: Support lookup of HTTP Strict Transport Security
                    (HSTS) Preloaded domains
    Classification: Applications
           Product: Falkon
      Version First 25.04.2
       Reported In:
          Platform: Arch Linux
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: unassigned-bugs at kde.org
          Reporter: kde at shimi.net
  Target Milestone: ---

SUMMARY
Modern browsers support looking up browsed domain in a list of domains that
their owners desired for them to be HTTPS-only, even on the very first attempt
to access the domain over plain HTTP (for the 2nd attempt you can use the
Strict-Transport-Security header sent by the server, ASSUMING that you were not
MITM'd in the initial connection if it was http://). 

This capability started (to my knowledge) with the Chromium/Chrome browser but
the list public and all modern/popular browsers (Chrome, Edge, Firefox, IE) use
it. My empiric attempts to go to http:// URLs with HSTS-preloaded domains using
the Falkon browser did not result in an internal upgrade of the request to
HTTPS. Some of these sites are not even listening on port 80, so I just end up
being stuck until I realized I forgot the https:// prefix. Which makes me
wonder if STS headers in general are also not respected?

Anyway, it would be nice if Falkon looked up entered domains against the
preload list and prepend https:// instead of http:// to such domains (and of
course bar you from accessing the site should an invalid TLS cert was received
as a result)

STEPS TO REPRODUCE
1. Browse with domain only (so: http:// is prepended to the domain) to an
HSTS-preloaded websites

OBSERVED RESULT
The connection is not automatically upgraded to HTTPS (unless the website
itself does a 301/302, but that's not the issue I am reporting; I am talking
about the browser itself upgrading the request to https:// even if it didn't
get 301/302, and in fact, without even ATTEMPTING to connect of http:// to
begin with.)

EXPECTED RESULT
Connection is automatically upgraded to https://

SOFTWARE/OS VERSIONS
Linux/KDE Plasma:  Arch Linux
KDE Plasma Version: 6.3.5
KDE Frameworks Version: 6.14.0
Qt Version: 6.9.1

ADDITIONAL INFORMATION
none

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Unassigned-bugs mailing list