InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Strict Transport Security store

https://forums.informaction.com/viewtopic.php?t=2680

Page 1 of 1

Strict Transport Security store

Posted: Thu Sep 24, 2009 3:27 am
by al_9x
Georgio,

Please correct me if I am wrong, but it seems that that STS introduces an additional site-pref like or cookie like store, that is neither viewable, editable nor clearable from NS ui. Nor, it seems, is it possible to disable STS.

So in light of the above, a couple of requests:
  1. Option to disable STS. It should be possible to disable any feature that allows sites to store any kind of state (cache, cookies, offline storage, history can all be individually disabled)
  2. UI for viewing, editing and clearing the STS store

Re: Strict Transport Security store

Posted: Thu Sep 24, 2009 7:43 am
by Giorgio Maone
al_9x wrote: Option to disable STS. It should be possible to disable any feature that allows sites to store any kind of state (cache, cookies, offline storage, history can all be individually disabled)
You've got noscript.STS.enabled in about:config.
Furthermore, Private Browsing suspends any persistence for STS, while purging session history erases the STS database as well.
al_9x wrote: UI for viewing, editing and clearing the STS store
Maybe in future. In the meanwhile, the store is easily editable by hand, being a simple text file in your profile named NoScript-STS.db.

Re: Strict Transport Security store

Posted: Thu Sep 24, 2009 3:33 pm
by Alan Baxter
Giorgio Maone wrote:purging session history erases the STS database as well
I'm unsure which setting covers that. In Options > Privacy > Settings for Clearing History, do I need to check Browsing History or Site Preferences or something else? Same question regarding Tools > Clear Recent History > Details.

Could you clarify?

Re: Strict Transport Security store

Posted: Thu Sep 24, 2009 4:52 pm
by Giorgio Maone
@Alan Baxter:
Browser History.

Re: Strict Transport Security store

Posted: Thu Sep 24, 2009 5:21 pm
by Giorgio Maone
BTW, I don't feel that happy with this "erase on browser history erasure" all-or-nothing feature, especially if you erase it automatically after each session, but on the other hand:
  1. If you cleanup for privacy/shame reasons, you'd better use "Private Browsing", which works just fine with STS and has no downsides.
  2. If you do it for some other policy reason but you have no objection to persist data about certain sites you want to protect by forcing HTTPS, you can still use NoScript Options|Advanced|HTTPS|Behavior.

Re: Strict Transport Security store

Posted: Thu Sep 24, 2009 7:15 pm
by al_9x
Giorgio Maone wrote:BTW, I don't feel that happy with this "erase on browser history erasure" all-or-nothing feature
If you are going to piggyback on one of built-in Fx clear items, it should probably be "site preferences."

Or you could add your own item, like TMP does (saved sessions)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited