Disable 3p dynamic HSTS | Expect-CT | PKP headers #925

jumde · 2019-02-27T03:50:06Z

Description:

Headers like "Strict-Transport-Security", "Expect-CT", "Public-Key-Pins", "Public-Key-Pins-Report-Only" can be used for fingerprinting in 3p context.

For more info: brave/brave-browser#3419

Repro steps:

Disable HTTPS Everywhere
Navigate to https://jsfiddle.net/x5mqb807/ - This loads content from avatars2.githubusercontent.com which sets the Strict-Transport-Security header.

The text was updated successfully, but these errors were encountered:

tildelowengrimm · 2019-02-27T22:56:56Z

Is the solution that we'll remember headers set by third parties but only apply them to first parties, or that we'd only remember or apply when the site is a first party?

jumde · 2019-02-27T22:59:03Z

See: brave/browser-laptop#12223 (comment)

ShivanKaul · 2023-05-09T21:22:46Z

Public Key Pins and Expect-CT are deprecated headers, and for HSTS, we follow Safari which does partition the HSTS cache.

jumde added the privacy label Feb 27, 2019

jhreis added enhancement QA/Yes release-notes/include blocked: needs investigation labels Mar 19, 2019

jumde added the desktop-parity label Jun 28, 2019

ShivanKaul closed this as not planned Won't fix, can't repro, duplicate, stale May 9, 2023

ShivanKaul added the closed/stale label May 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable 3p dynamic HSTS | Expect-CT | PKP headers #925

Disable 3p dynamic HSTS | Expect-CT | PKP headers #925

jumde commented Feb 27, 2019

tildelowengrimm commented Feb 27, 2019

jumde commented Feb 27, 2019

ShivanKaul commented May 9, 2023

Disable 3p dynamic HSTS | Expect-CT | PKP headers #925

Disable 3p dynamic HSTS | Expect-CT | PKP headers #925

Comments

jumde commented Feb 27, 2019

Description:

Repro steps:

tildelowengrimm commented Feb 27, 2019

jumde commented Feb 27, 2019

ShivanKaul commented May 9, 2023