Closed JannisBush closed 7 months ago
Hi @JannisBush -- great find, thank you! I confirmed it. I will working on fixing the PrivacyTests test.
The basic HSTS tracking approach should also be blocked by Safari's approach, so maybe adding a note would be nice as it is better than doing nothing (as Chrome does).
In addition, Firefox both partitions HSTS cache and only allows HSTS to be set for the current top-level site (not domain as Safari does). However, this seems to be due to performance and not privacy reasons (https://bugzilla.mozilla.org/show_bug.cgi?id=1701192).
See the HSTS cache (fetch)
item, now added. Thank you for bringing this to my attention!
Safari does not partition the HSTS cache. However, it only allows setting HSTS for the current top-level domain (https://webkit.org/tracking-prevention/) making it pass the test.
Steps to reproduce:
await fetch("https://wpt.live/common/blank.html?pipe=header(strict-transport-security,max-age=100)")
in the first tab.await fetch("http://wpt.live/common/blank.html?pipe=header(Access-Control-Allow-Origin,*)")
in the second tab and observe that it is redirected.await fetch("https://wpt.live/common/blank.html?pipe=header(strict-transport-security,max-age=0)")
in the first tab.await fetch("http://wpt.live/common/blank.html?pipe=header(Access-Control-Allow-Origin,*)")
in the second tab and observe that it is not redirected.