Contact emails bing...@chromium.org, miketa...@chromium.org
Explainer https://github.com/explainers-by-googlers/HSTS-Tracking-Prevention Specification TBD Summary Only apply HSTS upgrades to top-level navigation requests. By not applying HSTS upgrades to any sub-resources it will be impossible for any stored identity to be read unless the browser is navigated to every applicable url. This makes tracking via the HSTS significantly more difficult for third-party trackers. Blink component Blink>Network <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ENetwork> Motivation HSTS can be used by third-parties to store arbitrary amounts of information that can track users around the web. This can be done by creating an arbitrary number of sub-domains, sending requests to each of those domains, setting an HSTS response on a subset of those requests, and then in the future track which sub-domain requests are automatically upgraded to HTTPS by the browser in order to identify that user. Other browsers, such as Firefox and Safari, have already implemented forms of HSTS tracking prevention. Initial public proposal https://github.com/explainers-by-googlers/HSTS-Tracking-Prevention?tab=readme-ov-file#prior-art TAG review None TAG review status N/A Risks Interoperability and Compatibility Gecko: Shipped - Similar design Firefox blocks third-party HSTS responses <https://bugzilla.mozilla.org/show_bug.cgi?id=1701192#c15>. WebKit: Shipped - Similar design Safari blocks third-party HSTS responses <https://webkit.org/blog/8146/protecting-against-hsts-abuse/>. Web developers: No signals WebView application risks None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Not currently, but web platform tests will be added before launch. Flag name HstsTopLevelNavigationsOnly Requires code in //chrome? False Tracking bug https://crbug.com/40725781 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5072685886078976 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/21cc3302-de3c-444f-b0a8-1bd5dadcff97n%40chromium.org.
