New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 729588 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
lgar...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature



Sign in to add a comment

HSTS data should be cleared when clearing browsing data for privacy

Reported by runem...@gmail.com, Jun 5 2017 
UserAgent: Mozilla/5.0 (Linux; Android 6.0.1; 6045I Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36

Steps to reproduce the problem:
1. Go to a site using HSTS (ex.: google.com)
2. Clear all browsing data
3. Query the domain name on chrome://net-internals/#hsts

What is the expected behavior?
The site shouldn't show up in HSTS data. It should be cleared along with "Cookies and for data"

What went wrong?
HSTS data remains after clearing all browsing data, so someone could get a list of all sites using HSTS that the user visited, which is a big privacy risk.

Did this work before? No 

Chrome version: 58.0.3029.83  Channel: stable
OS Version: 
Flash Version:

Comment 1 by mart...@martijnc.be, Jun 5 2017 

"google.com" is on the HSTS preload list that gets compiled into the chrome binary. Clearing "Cookies and other site data" only clears dynamic HSTS data.

When you query the HSTS cache for "google.com", does it show up as "static_sts_domain" or as "dynamic_sts_domain"?

The static entries are always there (unless you are using an old or unofficial build) even if you never visited the website. You can find all preloaded HSTS domains at https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json

Because the static entries always show up, regardless of browser history they don't pose a privacy risk.

Can you retry this with stackoverflow.com instead? The stackoverflow.com domain is not on the preload list but is serving a HSTS header so its HSTS state should get removed when you clear your cache.

Comment 2 by pauljensen@chromium.org, Jun 5 2017

Components: Internals>Network>DomainSecurityPolicy

Comment 3 by lgar...@chromium.org, Jun 5 2017

Labels: Needs-Feedback
I just double-checked on Canary, and resetting browsing data resets dynamic HSTS.

martijn@ has already explained all the relevant parts. stackoverflow.com should work, but it may be preloaded some day.

I've attached screenshots of how hsts.badssl.com and preloaded-hsts.badssl.com should look in chrome://net-internals/#hsts
Could you confirm that visiting https://hsts.badssl.com results in hsts-after-visiting.png, and clearing browsing data results in `hsts-after-clearing-browsing-data.png`?
preloaded-hsts.png
450 KB View Download
hsts-after-visiting.png
480 KB View Download
hsts-after-clearing-browsing-data.png
368 KB View Download

Comment 4 by runem...@gmail.com, Jun 5 2017 

Yes, you're right. Sites that aren't preloaded are cleared when clearing browsing history so there's actually no bug.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 5 2017

Cc: lgar...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "lgarron@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by pauljensen@chromium.org, Jun 5 2017

Status: WontFix (was: Unconfirmed)

Sign in to add a comment