Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit HSTS fingerprinting in 1p context #5936

Closed
jumde opened this issue Sep 8, 2019 · 3 comments
Closed

Limit HSTS fingerprinting in 1p context #5936

jumde opened this issue Sep 8, 2019 · 3 comments
Labels
closed/duplicate Issue has already been reported closed/wontfix priority/P3 The next thing for us to work on. It'll ride the trains. privacy/tracking Preventing sites from tracking users across the web privacy

Comments

@jumde
Copy link
Contributor

jumde commented Sep 8, 2019

For #3419, we blocked setting HSTS for third parties.

HSTS fingerprinting can also be achieved in first party context, we should limit setting HSTS headers for the loaded hostname and eTLD+1 similar to: https://webkit.org/blog/8146/protecting-against-hsts-abuse/

@jumde jumde added the privacy label Sep 8, 2019
@fmarier fmarier added privacy/tracking Preventing sites from tracking users across the web and removed privacy labels Sep 9, 2019
@tildelowengrimm tildelowengrimm added the priority/P4 Planned work. We expect to get to it "soon". label Sep 24, 2019
@syverson
Copy link

Note that the countermeasures described in https://webkit.org/blog/8146/protecting-against-hsts-abuse/ do nothing to address the first party tracking and censorship described in "HSTS Supports Targeted Surveillance" (paper at https://www.usenix.org/system/files/conference/foci18/foci18-paper-syverson.pdf code at https://github.com/pastly/satis-hsts-tracking ).

@fmarier fmarier removed the priority/P4 Planned work. We expect to get to it "soon". label Jun 22, 2020
@pes10k pes10k added the priority/P3 The next thing for us to work on. It'll ride the trains. label Jun 23, 2020
@fmarier
Copy link
Member

fmarier commented Feb 5, 2021

A proposal from Mike West: https://github.com/mikewest/strict-navigation-security

@fmarier fmarier removed their assignment Apr 26, 2022
@pes10k
Copy link
Contributor

pes10k commented Apr 27, 2022

Closing this in favor of #18830

@pes10k pes10k closed this as completed Apr 27, 2022
@pes10k pes10k added closed/wontfix closed/duplicate Issue has already been reported labels Apr 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closed/duplicate Issue has already been reported closed/wontfix priority/P3 The next thing for us to work on. It'll ride the trains. privacy/tracking Preventing sites from tracking users across the web privacy
Projects
None yet
Development

No branches or pull requests

5 participants