Project

General

Profile

Actions

Feature #480

closed

Disable HSTS

Added by Soren Stoutner over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Next Release
Start date:
07/24/2019
Due date:
% Done:

0%

Estimated time:

Description

https://stackoverflow.com/questions/37379933/does-androids-webview-support-hsts

https://developer.android.com/training/articles/security-config.html

HSTS provides no benefit for Privacy Browser because it defaults to HTTPS.

However, it has the negative privacy consequence of creating a list of all the websites that a user has visited and storing that list in WebView's cache.

This cache is wiped out whenever Clear and Exit is run with the default settings, but it makes sense to me to disable the storage of such information in the first place.

Actions #1

Updated by Soren Stoutner over 5 years ago

  • Description updated (diff)
Actions #2

Updated by Soren Stoutner over 5 years ago

Information about the fingerprinting possibilities of HSTS can be found at https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Privacy_issues.

Actions

Also available in: Atom PDF