问题
I've been reading various informations about Google and Firefox using an HSTS preload list.
- it seems that there is a generic list here : https://hstspreload.org/
- and that Chrome uses the one from Chromium here : https://www.chromium.org/hsts/
- and Firefox uses the one here : https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc
Does Safari or Opera use a HSTS preload list ? Which one ? What is the relationship between the 3 list cited above ?
Thank you
回答1:
The defacto central master list for HSTS is managed by Chromium / Google at https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json .
A list of Browsers supporting HSTS (and presumably having preload lists) can be found at Wikipedia. Being closed source, information on how Opera, Safari, IE, etc. handle their preloaded lists seem to be unavailable.
The Microsoft Edge Team state in their Blog, that
Like other browsers which have implemented this feature, Microsoft Edge and Internet Explorer 11 base their preload list on the Chromium HSTS preload list.
For Firefox, the list at /source/mozilla/security/manager/ssl/nsSTSPreloadList.inc is generated by the file
/source/mozilla/security/manager/tools/getHSTSPreloadList.js, where we can see from the line
const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";
that it is merely a clone of the "master list", parsed into Firefox` format. All it does is an additional verification run for each domain in the list to be available and have the required HSTS header (by connecting to it; which it seems to do daily, from the vcs log).
Palemoon follows this procedure and it is likely that other browser vendors do the same. So it seems the relationship between your lists is: there is only one.
回答2:
From your first link:
Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.)
来源:https://stackoverflow.com/questions/47816785/which-hsts-preload-list-is-used-by-which-browser