back to article Apple moves on HSTS abuse in Safari

Apple has moved to block an abuse vector in the WebKit framework that underpins its Safari browser and allows HSTS to be abused to act as a 'supercookie' for user tracking. HSTS – HTTP Strict Transport Security – allows a Web site to declare to browsers that it's only accessible via HTTPS. If a user tries to hit the HTTP-only …

  1. Charlie Clark Silver badge

    Who?

    Helme wrote

    Previous person mentioned was Greenhalgh. I assume you mean Christian Helme?

  2. katrinab Silver badge

    So now you register dblck00.com though to dblckFF.com and use those for tracking?

    1. handleoclast

      dblck

      So now you register dblck00.com though to dblckFF.com and use those for tracking?

      Wouldn't same-origin policy stop that from working? If implemented correctly in the browser, of course.

      1. GnuTzu Silver badge

        Re: dblck -- same-origin

        Geesh, I haven't check this setting in over a decade. Time for an article on how all the browsers are going to deal with this.

  3. DougS Silver badge

    Google had a large hand in the development of HSTS

    So its hardly surprising that it can be so easily subverted to track people against their wishes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019