Closed Thorin-Oakenpants closed 2 years ago
AFAIK any HSTS supercookies are rendered useless with HoM
a=Y, b=Y, c=Y, d=Y, e=Y
every single time regardless of HSTSI doubt anyone is going to set HoM exceptions for numerous subresources, and HoM silently fails those anyway
So, if I understand this correctly, the HTTPS cache
test should take Insecure website
into account, reflect that in the result, and return "passed"?
thanks @Thorin-Oakenpants for opening this issue which is relevant to me as well (and sorry to both of you, I previously posted a - now deleted - comment that was meant for private research). I'm under the same impression that this could be a false positive as I tested and connections are always upgraded to https before leaving the browser.
I have a question for @arthuredelstein anyway: if you have the time, could you explain to me how you go about testing isolation of the HSTS cache? if it really turns out to be a false positive could it be worked around by having two subresources, one that asks for the secure connection and the other that doesn't?
Hi @Thorin-Oakenpants and @fxbrit -- you are right. This is a false positive for LibreWolf. I removed the X for now and I'm looking into a fix. Thank you both and sorry for the error.
Rather than create a new issue
Change in issue 11 - font isolation is now a fail for gecko desktop. Font cache should be isolated by network partitioning
Rather than create a new issue
Please do create new issues! :) So I can close each issue one by one.
I split out #77.
The HSTS issue was fixed in Issue 11.
Librewolf shows HSTS cache fails state partitioning. This doesn't seem right
LW has network partitioning on by default. Looking at entries in
SiteSecurityServiceState.txt
they are (with some principals excepted) all eTLD or eTLD+1 withpartitionKey=
origin attributes. Where are 3rd party entries kept?Same in Firefox, and in arkenfox with Firefox. Arkenfox is literally the same as LW (in v96 we move from FPI to dFPI), which is why I am interested in why LW fails
Reading your description and code which I can't quite wrap my head around
I wonder if HTTPS-Only Mode is affecting this result? LW also fails in this test in PB Mode and we know HoM also overrides HTTPS-First in PB mode. Could you run LW with
dom.security.https_only_mode
reset tofalse
? And/or give any insight?TIA