Block port 443 for all protocols other than HTTPS or WSS.

This addresses the history leak (on non-preloaded HSTS sites) from

  "If we ask Chrome to load, it will definitely fail, because Chrome will make plain-text HTTP request to port 443 of the server. However, if is a Known HSTS Host of Chrome (meaning either the user has visited before, or it is on the HSTS preload list), it will send request to, and the request will succeed. We can use JavaScript to differentiate the two cases, since in the first case, onerror event is triggered, while in the second case, onload event is triggered.

  Therefore, a malicious website can include well-chosen cross-domain images and use this trick to brute-force a list of domains that users have visited. Note that the list could only contain HSTS-enabled but not preloaded websites."


Review URL:

Cr-Commit-Position: refs/heads/master@{#306959}
4 files changed