Imagine a JavaScript in a web page A has permission to access domain B (that is, CORS is not an issue)
A makes an insecure/http query (websockets, XHR, whatever) to B. It fails.
Is there a way to ascertain, at that point, whether it failed *because HSTS is set on that domain?*
Conversation
Replying to
if it had bc HSTS enabled, wouldn’t the request be automatically upgraded to HTTPS? I have never heard of such an API
1
Replying to
1. The resource being requested is not HTTPS. It is HTTP.
2. If you "upgrade" a port 80 request to HTTPS, you do so by switching to port 443. How exactly does one upgrade an HTTP request on port 9033 to HTTPS? Request again as HTTPS on 9033?
2
1
It preserves the port:
datatracker.ietf.org/doc/html/rfc67
HSTS state is for the domain, not a specific origin based on the domain. If HSTS is enabled for the domain, the browser won't make HTTP requests. There's a special case for port 80 to use port 443 but other ports use the same port.
2
3
If HSTS is enabled for the domain, the browser won't make non-TLS requests to that domain at all. It transparently upgrades them and if that fails, the connection simply failed. If there's only an HTTP server on that port and HSTS is enabled, it simply fails to connect.