Incorrect HSTS partitioning result Safari

[JannisBush]

Safari does not partition the HSTS cache. However, it only allows setting HSTS for the current top-level domain (https://webkit.org/tracking-prevention/) making it pass the test.

Steps to reproduce:

1. Open two tabs in Safari.
2. Visit https://wpt.live/ in the first tab.
3. Visit http://example.org in the second tab.
4. Run await fetch("https://wpt.live/common/blank.html?pipe=header(strict-transport-security,max-age=100)") in the first tab.
5. Run await fetch("http://wpt.live/common/blank.html?pipe=header(Access-Control-Allow-Origin,*)") in the second tab and observe that it is redirected.
6. Run await fetch("https://wpt.live/common/blank.html?pipe=header(strict-transport-security,max-age=0)") in the first tab.
7. Run await fetch("http://wpt.live/common/blank.html?pipe=header(Access-Control-Allow-Origin,*)") in the second tab and observe that it is not redirected.

[arthuredelstein]

Hi @JannisBush -- great find, thank you! I confirmed it. I will working on fixing the PrivacyTests test.

[JannisBush]

The basic HSTS tracking approach should also be blocked by Safari's approach, so maybe adding a note would be nice as it is better than doing nothing (as Chrome does).

In addition, Firefox both partitions HSTS cache and only allows HSTS to be set for the current top-level site (not domain as Safari does). However, this seems to be due to performance and not privacy reasons (https://bugzilla.mozilla.org/show_bug.cgi?id=1701192).

[arthuredelstein]

See the HSTS cache (fetch) item, now added. Thank you for bringing this to my attention!