back to article Apple moves on HSTS abuse in Safari

Apple has moved to block an abuse vector in the WebKit framework that underpins its Safari browser and allows HSTS to be abused to act as a 'supercookie' for user tracking. HSTS – HTTP Strict Transport Security – allows a Web site to declare to browsers that it's only accessible via HTTPS. If a user tries to hit the HTTP-only …

  1. Charlie Clark Silver badge


    Helme wrote

    Previous person mentioned was Greenhalgh. I assume you mean Christian Helme?

  2. katrinab Silver badge

    So now you register though to and use those for tracking?

    1. handleoclast


      So now you register though to and use those for tracking?

      Wouldn't same-origin policy stop that from working? If implemented correctly in the browser, of course.

      1. GnuTzu

        Re: dblck -- same-origin

        Geesh, I haven't check this setting in over a decade. Time for an article on how all the browsers are going to deal with this.

  3. Anonymous Coward
    Anonymous Coward

    Google had a large hand in the development of HSTS

    So its hardly surprising that it can be so easily subverted to track people against their wishes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022