Firefox does not clear HSTS “cookies” when closed after a private session

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: mozilla, Unassigned)

Tracking

({privacy})

42 Branch
privacy
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

Visited some random sites with Firefox in private browsing mode (in this case this had been enabled by selecting "Always use private browsing mode" under Options > Privacy). After a few minutes of browsing, closed Firefox and checked the "SiteSecurityServiceState.txt" file located in the Firefox profile.


Actual results:

At the start of the session, "SiteSecurityServiceState.txt" is populated with about 32 entries for HSTS "cookies". After Firefox was closed the same 32 entries were still present in the file.


Expected results:

Based on common information about these entries (such as here: http://www.securitynewspaper.com/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/) they should have been cleared after a private browsing session.
(Reporter)

Updated

3 years ago
Keywords: privacy
(Reporter)

Comment 1

3 years ago
From what it looks like currently, this is not a bug but 'works as designed'.

It could well be that FF was running earlier when I cleared the "SiteSecurityServiceState.txt" file, and that for this reason the entries were eventually put back.

I noticed in the tests I did today that (if I clear the file while FF is running) when FF puts the entries back, it does not do so when it is closed but when it is eventually re-opened.

So it could be that
1. initially the entries where from the time before I had enabled to always surf in Private Mode
2. when I cleared the entries from "SiteSecurityServiceState.txt", I did it while FF was running
3. I did not use FF for a while after clearing the entries. So then when I eventually launched FF again it added the entries back at that time.

Now I cleared the "SiteSecurityServiceState.txt" file again a couple hours ago (while FF was not running) and have since been surfing the web without the entries coming back.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.