GitLab

HTTP Alternative Services header (https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-06) allows websites to tell clients to cache destination and protocol settings for certain websites.

While this header enables things like opportunistic encryption, http2 discovery, etc, unfortunately it is both a supercookie vector and a third party tracking vector. Luckily for us, it was disabled for Firefox 38 because the initial implementation also enabled URL bar spoofing vulnerabilities.

However, for Firefox 45, we will either need to isolate it, or ensure it remains disabled.