Project

General

Profile

Feature #480

Disable HSTS

Added by Soren Stoutner 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Next Release
Start date:
07/24/2019
Due date:
% Done:

0%

Estimated time:

Description

https://stackoverflow.com/questions/37379933/does-androids-webview-support-hsts

https://developer.android.com/training/articles/security-config.html

HSTS provides no benefit for Privacy Browser because it defaults to HTTPS.

However, it has the negative privacy consequence of creating a list of all the websites that a user has visited and storing that list in WebView's cache.

This cache is wiped out whenever Clear and Exit is run with the default settings, but it makes sense to me to disable the storage of such information in the first place.

History

#1

Updated by Soren Stoutner 6 months ago

  • Description updated (diff)
#2

Updated by Soren Stoutner 6 months ago

Information about the fingerprinting possibilities of HSTS can be found at https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Privacy_issues.

Also available in: Atom PDF