Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Mike Perry@mikeperry

Isolate HPKP and HSTS to url bar domain

HPKP pinning (where an HTTP header can list a key to pin) may enable third party tracking if an adversary creates multiple certificates for many domains.

HPKP is already memory-only. In normal Firefox, it is saved to disk in the same location as HSTS is.

We should isolate HPKP to the url bar domain, and verify that it and HSTS are cleared on New Identity (I believe they are).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information