Implement HSTS preload for .dev domains

[jordanbtucker]

Preliminary checklist

• I have read the README
• I have read the FAQs.
• I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• This is a feature request for the Bromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

No.

Describe the solution you would like

According to Google, all .dev domains are included on the HSTS preload list. However, when I go to chrome://net-internals/ and enter a .dev domain into the Query HSTS field, Bromite comes back with Not found.

Compare this to Chrome's response for the same domain:

static_sts_domain: dev
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
static_sts_observed: 1679355733

Bromite's behavior exposes users to potentially unencrypted connections. This is especially true for .dev domains because, since Google markets the domain as on the HSTS preload list, domain owners may not implement HSTS headers or even HTTPS redirects for their .dev domains because they believe users are being redirected to HTTPS automatically.

Describe alternatives you have considered

There are no alternatives other than using a different browser.

[uazo]

when I go to chrome://net-internals/ and enter a .dev domain into the Query HSTS field, Bromite comes back with Not found.

bromite uses by default the list of HSTS domains given by net/http/transport_security_state_static.json and it seems to work for me

Bromite's behavior exposes users to potentially unencrypted connections

the use of http connections is clearly displayed by the ui. it is up to your personal threath model to set, for instance, the forcing to https or the complete disabling of the http protocol, which is possible in bromite via the #cleartext-permitted flag.

they believe users are being redirected to HTTPS automatically.

in my work as a developer, if i consider something necessary, i force it without waiting for others to do it for me. but that is obviously a personal opinion.

There are no alternatives other than using a different browser.

with regard to htst, bromite is flawed in not partitioning the cache (see uazo/bromite-buildtools#89).
other browsers, however, sin with https, allowing weak protocols to pass (see uazo/bromite-buildtools#73 (comment)), then the choice is yours

[jordanbtucker]

it seems to work for me

Try entering jordant.dev and you'll get Not found.

Try going to http://jordant.dev/ in Bromite. It won't redirect to https. Compare this to Chrome's behavior.

Regarding the fact that Bromite displays that the connection is HTTP in the address bar: the whole point of the HSTS list is to prevent HTTP in the first place. So, if someone just types jordant.dev into the address bar, the browser should not even try to go to http://jordant.dev/.

[uazo]

Try entering jordant.dev

and you'll get Not found.

https://jordant.dev get not found.

[jordanbtucker]

I'm not sure what you're trying to say. Is that in Bromite?

Enter jordant.dev into chrome://net-internals/#hsts and you'll get not found in Bromite.

Go to http://jordant.dev/ in Bromite and it will not redirect to https://jordant.dev/.

[uazo]

Is that in Bromite?

oops. you are right.
I confused the apks, the one I tried is my version of bromite, latest at 111, apologize for the confusion.
Well, then, whatever happened to 108, with 111 it was solved....

[jordanbtucker]

Where can I get your version of Bromite?

[Universalizer]

https://github.com/uazo/bromite-buildtools