Intent to Prototype: HSTS Tracking Prevention
Steven Bingler
bin...@chromium.org, mike...@chromium.org
Explainer
https://github.com/explainers-by-googlers/HSTS-Tracking-Prevention
Specification
TBD
Summary
Only apply HSTS upgrades to top-level navigation requests. By not applying HSTS upgrades to any sub-resources it will be impossible for any stored identity to be read unless the browser is navigated to every applicable url. This makes tracking via the HSTS significantly more difficult for third-party trackers.
Blink component
Motivation
HSTS can be used by third-parties to store arbitrary amounts of information that can track users around the web. This can be done by creating an arbitrary number of sub-domains, sending requests to each of those domains, setting an HSTS response on a subset of those requests, and then in the future track which sub-domain requests are automatically upgraded to HTTPS by the browser in order to identify that user.
Other browsers, such as Firefox and Safari, have already implemented forms of HSTS tracking prevention.
Initial public proposal
https://github.com/explainers-by-googlers/HSTS-Tracking-Prevention?tab=readme-ov-file#prior-art
TAG review
None
TAG review status
N/A
Risks
Interoperability and Compatibility
Gecko: Shipped - Similar design Firefox blocks third-party HSTS responses.
WebKit: Shipped - Similar design Safari blocks third-party HSTS responses.
Web developers: No signals
WebView application risks
None
Debuggability
None
Is this feature fully tested by web-platform-tests?
Not currently, but web platform tests will be added before launch.
Flag name
HstsTopLevelNavigationsOnly
Requires code in //chrome?
False
Tracking bug
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5072685886078976