> -----Original Message----- > From: Adam Barth [mailto:[email protected]]
> > We battled this problem with HSTS as well. I think what Mozilla settled on > (and I don't remember the Chrome solution) is to use a different storage > mechanism when HSTS is *set* during private browsing mode, and clear on > exit from private browsing. > > It's been a while since I wrote that code, but I'm pretty sure that's how it > works in Chrome too. There's a separate memory-only HSTS store that's > used for incognito. That's consistent with how we handle other host-specific > data stored by the network layer, such as cookies. Is this documented anywhere? Where should it be? Maybe add a section to the browser security handbook, if nowhere else, so at least we all have it written down what the browsers have implemented? And, since we decided these specifics don't belong in the IETF HSTS spec, where could we document them for real? - Andy _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
