Can't delete HSTS entrys by entering * at chrome://net-internals/#hsts [delete domain] or make HSTS completely off
Reported by
patently.paul@gmail.com,
Jul 6 2016
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Steps to reproduce the problem: 1. open chrome://net-internals/#hsts 2. open a site with https, that probably isn't listed in the preloaded HSTS entrys 3. enter * in 'Delete Domain' 4. query the domain if it is found in the HSTS set. What is the expected behavior? It deletes all the HSTS entrys that weren't preloaded. What went wrong? It still querys the HSTS entrys that weren't preloaded Did this work before? N/A Chrome version: 51.0.2704.79 (Entwickler-Build) Ubuntu 16.04 (64-Bit) Channel: n/a OS Version: Ubuntu 16.04 (64-Bit) Flash Version: Shockwave Flash 11.2 r202 On firefox you can go to about:support and click at something like 'open directory'(I have it in german) and look in that folder for SiteSecurityServiceState.txt . This file contains all the HSTS entry and they can be deleted and or make the file read-only.
,
Jul 8 2016
I think this is working as intended in so far as that UI is not supposed to let you delete entries by typing in funny things anyway. I believe you must type in exactly the entry which set it. +mmenke (net-internals), lgarron (HSTS), and mkwst (Clear Site Data) in case you all have any views here. I think this is probably a WontFix. We definitely should not make '*' work as net-internals is meant to be an internal debugging page. We do not want it to do anything clever. I assume HSTS is hooked up to Clear Site Data under one of the categories (?) and it's probably not worth adding an HSTS-only tickbox there. Why would a normal person ever want to do that? Probably we shouldn't hide a "clear all HSTS entries" in net-internals either since it's, again, a debugging page and we don't appear to have ever needed that when debugging the net stack.
,
Jul 8 2016
,
Jul 8 2016
Correct. This is WAI.
,
Jul 20 2016
I agree with the WontFix, given that there is already a way to clear site data. You can also start a new profile to get a new blank HSTS cache.
,
Jul 20 2016
Late to the party, but I agree with not adding it to net-internals. Clear Site Data is the only place where it might make sense - the HSTS does implicitly have history information, and if people want to be able to clear everything of that sort.... |
||||
►
Sign in to add a comment |
||||
Comment 1 by asanka@chromium.org
, Jul 8 2016Status: Untriaged (was: Unconfirmed)