If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

HSTS should not be shared between appIds

RESOLVED WONTFIX

Status

()

Core
Networking
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: baku, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
Currently, in b2g, if the same page is opened by 2 different apps, we share HSTS settings and this can be used for tracking. Would be nice to have this information associate with the appId of the app.
I think the way that we currently do this is actually fine. I agree there's some information leakage, but until we see that starting to be exploited to do tracking or other bad things, I'd rather do things as we do them now since it has security benefits.
I agree with Jonas..

richard if you agree too, then please mark WONTFIX
Flags: needinfo?(rlb)
(Reporter)

Comment 3

2 years ago
We don't permanently store HSTS information in private browsing.
Why we do that there if we think that having such information leaked is not a problem?
It seems an inconsistent behavior: private browsing is a kind of sandbox environment.
The same thing is b2g with appIds: sandboxes but just persistent.

I push to have this fix if it doesn't require a huge amount of work.
(Reporter)

Updated

2 years ago
Flags: needinfo?(jonas)
I think private browsing is intended to provide stronger guarantees than our cookie jar implementation. With private browsing one goal is for example to ensure that there's no trace of the user visiting a website if the visit happened during private browsing.

Splitting the HSTS database on a per-cookie jar basis has security disadvantages, so even if it was zero-line fix, I don't think we'd actually want to do it.
Flags: needinfo?(jonas)
(Reporter)

Comment 5

2 years ago
> Splitting the HSTS database on a per-cookie jar basis has security
> disadvantages, so even if it was zero-line fix, I don't think we'd actually
> want to do it.

Can you tell me more about this security disadvantages?
Flags: needinfo?(jonas)
(In reply to Andrea Marchesini (:baku) from comment #5)
>
> 
> Can you tell me more about this security disadvantages?

it would mean less use of https

Comment 7

2 years ago
I think, this is a really serious issue. I understand the security disadvantages, but there should at least be an option to prevent this type of tracking. It is unknown if this is not already exploited. Even if not: The time will come when it will, and until there comes a better solution, the user should be able to decide between security and privacy.
Flags: needinfo?(jonas)

Comment 8

2 years ago
I'd like to finally get rich by offering an advanced user tracking service based on the sharing of HSTS information, but my efforts would be useless if you fix this feature too soon. So, is there kind of a guarantee that this will *not* be fixed in the near future? :-)
+1 to WONTFIX
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(rlb)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.