Https-everywhere: Update hsts-prune to use preload policies
Type: feature request
The HSTS preload list has added a tag to indicate under which policy a given domain was added (see https://github.com/chromium/hstspreload.org/issues/111 and this diff from the Chromium codebase).
It would be great if hsts-prune.js could use this new info to remove more domains. More specifically, domains with a special policy, such as google, custom or public-suffix-requested should be removed automatically, without the need to check for the presence of the required headers.
Related: https://github.com/EFForg/https-everywhere/issues/13235
Bisaloo
All 5 comments
cc @Hainish
cschanaj
on 3 Feb 2018
@Bisaloo In discussions with the Chrome team, I weighed in favor of this change, and I think it's a step forward. I'd like the extra assurance that Firefox will also follow this policy, as well.
Hainish
on 8 Feb 2018
Hainish
on 8 Feb 2018
I don't like the "special policies" used by some browser vendors for their own domains. There is no guarantee that they're all handled well across all browsers. It's also not clear what policies are added or kept in forks of these browsers.
J0WI
on 3 Apr 2019
@J0WI Same here, especially since Chrome devs have deprecated static pinning of CA keys for every website except Google-owned ones.
pipboy96
on 22 Apr 2019
Related issues
cschanaj
路
4Comments
Lissy93
路
4Comments
Cull-Methi
路
4Comments
the8472
路
4Comments
J0WI
路
4Comments
Most helpful comment
I don't like the "special policies" used by some browser vendors for their own domains. There is no guarantee that they're all handled well across all browsers. It's also not clear what policies are added or kept in forks of these browsers.