search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.9k stars 2.34k forks source link

Unable to delete hsts #27296

Open hulvat opened 1 year ago

hulvat commented 1 year ago

Description

Unable to disable redirecting from http to https or delete hsts rules

Steps to Reproduce

  1. type brave://net-internals/#hsts
  2. put domain name into input Delete domain security policies
  3. click Delete

Actual result:

Nothing happend

Expected result:

Deleted Dynamic domain security policies

Reproduces how often:

many times

Brave version (brave://version info)

1.46.140 Chromium: 108.0.5359.99

rebron commented 1 year ago

cc: @diracdeltas Not clear on how to triage this one? Can you take a look?

diracdeltas commented 1 year ago

It depends if these are dynamic HSTS or preload HSTS. The latter is not supposed to be deleteable. The former should be deletable via brave://net-internals/#hsts, and if not then it's a bug.

webloft commented 1 year ago

However, using the preload lists should be an opt-in

https://hstspreload.org/

Also because TLD domains like ".page" are preloaded - so something like foo.page will never work.

sa-rat commented 1 year ago

I'm also experiencing this issue. The domain name in my case is not on the preload lists. 1.49.120 Chromium: 111.0.5563.64

EugenMayer commented 1 year ago

Same here. Still an issue in v1.50.125

EugenMayer commented 1 year ago

Any reason why this is ignored or on needs-more-info? What needs to be provided?

Currently, there is simply no way to effectivly remove an hsts entry in brave.

On brave://net-internals/#hsts neither searching for 'domain.lan' nor https://domain.lan yields any results, nor just blindly trying to delete it. HSTS stays in place.

Especially for local domain for development purposes, which can be used with https/http depending on the config, this really hinders using brave.

I would be very grateful if we could move this issue forward.

FYI: this does not work in the most recent Chromium either (there using chrome://net-internals/#events)

diracdeltas commented 1 year ago

This is working for me fine in Brave 1.57.1, but I had to first disable the "Upgrade connections to HTTPS" setting in brave://settings/shields.

  1. Visit https://hsts.badssl.com/
  2. In brave://net-internals/#hsts, query for hsts.badssl.com and note dynamic_upgrade_mode: FORCE_HTTPS
  3. On the same page, delete hsts.badssl.com
  4. Visit http://hsts.badssl.com/ and verify that it's not upgraded
EugenMayer commented 1 year ago

@diracdeltas maybe this is related to TLDs - local tlds like lan might be somehow excluded in the hsts search?