<p>Yes the problem is that an OAuth client makes an http request (and includes http in the protocol when computing the signature) but behind their back the browser sends the request over https instead which means that when the server computes the signature (using https as the protocol) it doesn't match.</p>
<p>It's not hypothetical - we turned on HSTS at one point and had to turn it off again because of this.</p>
<p>It's actually not relevant to this bug anyway - this bug could be resolved simply be redirecting everything to https by default. That simply requires that we make a decision to go "https only" which historically we have avoided because there were objections from some users to that.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327158765">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLa6RisBMyhzxVroqux8_HL8V1qRCks5sfTyogaJpZM4MkLGL">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ABWnLSvMS_9L6OUPVM95Q5oct1DYW4aRks5sfTyogaJpZM4MkLGL.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327158765"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@tomhughes in #1493: Yes the problem is that an OAuth client makes an http request (and includes http in the protocol when computing the signature) but behind their back the browser sends the request over https instead which means that when the server computes the signature (using https as the protocol) it doesn't match.\r\n\r\nIt's not hypothetical - we turned on HSTS at one point and had to turn it off again because of this.\r\n\r\nIt's actually not relevant to this bug anyway - this bug could be resolved simply be redirecting everything to https by default. That simply requires that we make a decision to go \"https only\" which historically we have avoided because there were objections from some users to that."}],"action":{"name":"View Issue","url":"https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327158765"}}}</script>