New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement HSTS preload for .dev domains #2604
Comments
bromite uses by default the list of HSTS domains given by net/http/transport_security_state_static.json and it seems to work for me
the use of http connections is clearly displayed by the ui. it is up to your personal threath model to set, for instance, the forcing to https or the complete disabling of the http protocol, which is possible in bromite via the
in my work as a developer, if i consider something necessary, i force it without waiting for others to do it for me. but that is obviously a personal opinion.
with regard to htst, bromite is flawed in not partitioning the cache (see uazo/bromite-buildtools#89). |
Try entering jordant.dev and you'll get Not found. Try going to http://jordant.dev/ in Bromite. It won't redirect to https. Compare this to Chrome's behavior. Regarding the fact that Bromite displays that the connection is HTTP in the address bar: the whole point of the HSTS list is to prevent HTTP in the first place. So, if someone just types jordant.dev into the address bar, the browser should not even try to go to http://jordant.dev/. |
https://jordant.dev get not found. |
I'm not sure what you're trying to say. Is that in Bromite? Enter jordant.dev into chrome://net-internals/#hsts and you'll get not found in Bromite. Go to http://jordant.dev/ in Bromite and it will not redirect to https://jordant.dev/. |
oops. you are right. |
Where can I get your version of Bromite? |
Preliminary checklist
Is your feature request related to privacy?
Yes
Is there a patch available for this feature somewhere?
No.
Describe the solution you would like
According to Google, all .dev domains are included on the HSTS preload list. However, when I go to chrome://net-internals/ and enter a .dev domain into the Query HSTS field, Bromite comes back with Not found.
Compare this to Chrome's response for the same domain:
Bromite's behavior exposes users to potentially unencrypted connections. This is especially true for .dev domains because, since Google markets the domain as on the HSTS preload list, domain owners may not implement HSTS headers or even HTTPS redirects for their .dev domains because they believe users are being redirected to HTTPS automatically.
Describe alternatives you have considered
There are no alternatives other than using a different browser.
The text was updated successfully, but these errors were encountered: