Google Prepares to block HSTS Tracking in Chrome

HSTS Tracking Prevention in Chrome is still in the Proposal Stage

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

In a move to improve user privacy, Google is developing a new feature for Chrome called “HSTS tracking prevention.”

HSTS stands for HTTP Strict Transport Security, a rule that ensures websites are only accessible through secure connections (HTTPS) and prevents browsers from ignoring security warnings, keeping your data safe.

Many websites, including Google, use HSTS. When you visit a secure version of a website, your browser remembers this and automatically redirects you to the secure site if you try to access the insecure version later. However, this information can be stored on your device and used later, creating a “supercookie” that lets cross-site trackers follow you online.  

Currently, third-party sites can misuse HSTS to track users through “supercookies. This involves setting an HSTS response on certain requests and tracking which subdomain requests are upgraded to HTTPS to identify users.

Chrome to Prevent Users from HSTS Tracking

In a proposal on the intent prototype thread, Google shares its “motivation” for working on the HSTS Tracking Prevention feature for Chrome:

“HSTS can be used by third parties to store arbitrary amounts of information that can track users around the web. This can be done by creating an arbitrary number of subdomains, sending requests to each of those domains, setting an HSTS response on a subset of those requests, and then in the future tracking which subdomain requests are automatically upgraded to HTTPS by the browser in order to identify that user.”

Proposal: Google’s solution involves applying HSTS upgrades only to top-level navigation requests.

Only apply HSTS upgrades to top-level navigation requests. By not applying HSTS upgrades to any sub-resources it will be impossible for any stored identity to be read unless the browser is navigated to every applicable url. This makes tracking via the HSTS significantly more difficult for third-party trackers.

The latest commit message reveals enabling HSTS upgrades for top-level navigations only, meaning only main pages will be upgraded to HTTPS, not sub-resources like images or scripts.

By limiting HSTS upgrades to main pages, Google prevents misuse by third-party sites, making it harder for them to track users across the web. This improves user privacy while still maintaining the security benefits of HSTS.

Other browsers, such as Firefox and Safari, have already implemented similar forms of HSTS tracking prevention.

Current Status: This feature is in the proposal stage. You can find the explainer here.

Google believes that if this feature could pose any security risks, they have other security measures like HTTPS First mode and automatic HTTPS navigations in place to address and counteract those potential issues.

What do you think about Chrome’s Tracking HSTS prevention feature? Let us know your thoughts in the comments below.

More about the topics: Chrome, Firefox, Safari Browser

User forum

0 messages