Double-key HSTS for third party content
|Reported by:||mikeperry||Owned by:||tbb-team|
|Severity:||Normal||Keywords:||tbb-linkability, tbb-bounty, tbb-firefox-patch|
|Cc:||gk, arthuredelstein||Actual Points:|
With proper cache+identifier siloing to url bar origin, it is no longer a security issue to allow 3rd party content from HSTS urls to get loaded from non-HSTS sites. Therefore, we can disable HSTS enforcement for third parties in this case.
This will eliminate a super-cookie vector that HSTS creates (registering 32 domains, using HSTS for each domain as a bit).
This is going to be a painful patch to write, though...
Change History (15)
comment:6 Changed 3 years ago by erinn
- Component changed from Firefox Patch Issues to Tor Browser
- Owner changed from mikeperry to tbb-team
comment:10 follow-up: ↓ 11 Changed 22 months ago by mikeperry
- Summary changed from Disable HSTS for third party content on non-HSTS domains to Double-key HSTS for third party content
comment:14 Changed 7 months ago by arthuredelstein
- Resolution set to duplicate
- Status changed from new to closed