New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625946 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jul 2016
Cc:
mkwst@chromium.org
lgar...@chromium.org
mmenke@chromium.org
eroman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Can't delete HSTS entrys by entering * at chrome://net-internals/#hsts [delete domain] or make HSTS completely off

Reported by patently.paul@gmail.com, Jul 6 2016 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

Steps to reproduce the problem:
1. open chrome://net-internals/#hsts
2. open a site with https, that probably isn't listed in the preloaded HSTS entrys
3. enter * in 'Delete Domain'
4. query the domain if it is found in the HSTS set.

What is the expected behavior?
It deletes all the HSTS entrys that weren't preloaded.

What went wrong?
It still querys the HSTS entrys that weren't preloaded

Did this work before? N/A 

Chrome version: 51.0.2704.79 (Entwickler-Build) Ubuntu 16.04 (64-Bit)  Channel: n/a
OS Version: Ubuntu 16.04 (64-Bit)
Flash Version: Shockwave Flash 11.2 r202

On firefox you can go to about:support and click at something like 'open directory'(I have it in german) and look in that folder for SiteSecurityServiceState.txt . This file contains all the HSTS entry and they can be deleted and or make the file read-only.

Comment 1 by asanka@chromium.org, Jul 8 2016

Components: -UI Internals>Network>SSL
Status: Untriaged (was: Unconfirmed)

Comment 2 by davidben@chromium.org, Jul 8 2016

Cc: lgar...@chromium.org mkwst@chromium.org mmenke@chromium.org
I think this is working as intended in so far as that UI is not supposed to let you delete entries by typing in funny things anyway. I believe you must type in exactly the entry which set it.

+mmenke (net-internals), lgarron (HSTS), and mkwst (Clear Site Data) in case you all have any views here.

I think this is probably a WontFix. We definitely should not make '*' work as net-internals is meant to be an internal debugging page. We do not want it to do anything clever. I assume HSTS is hooked up to Clear Site Data under one of the categories (?) and it's probably not worth adding an HSTS-only tickbox there. Why would a normal person ever want to do that? Probably we shouldn't hide a "clear all HSTS entries" in net-internals either since it's, again, a debugging page and we don't appear to have ever needed that when debugging the net stack.

Comment 3 by rsleevi@chromium.org, Jul 8 2016

Components: -Internals>Network>SSL Internals>Network>Logging

Comment 4 by rsleevi@chromium.org, Jul 8 2016

Status: WontFix (was: Untriaged)
Correct. This is WAI.

Comment 5 by lgar...@chromium.org, Jul 20 2016 

I agree with the WontFix, given that there is already a way to clear site data. You can also start a new profile to get a new blank HSTS cache.

Comment 6 by mmenke@chromium.org, Jul 20 2016 

Late to the party, but I agree with not adding it to net-internals.  Clear Site Data is the only place where it might make sense - the HSTS does implicitly have history information, and if people want to be able to clear everything of that sort....

Sign in to add a comment