disk avoidance: SSSS.txt is not sanitized on session close, records "some" site URLS and timestamps
STR
- with TB closed (I used stable alpha), open
SiteSecurityServiceState.txt
(SSSS) in your profile, blank it, save it - start TB
- go to https://firstlook.org/theintercept/
- I did this twice, the second time was with prioritized onions but IDThink it matters since the https site has to load first anyway
- close TB (this forces writes to SSSS and will save you lots of time)
- open SSSS
- it contains timestamps and HSTS site info
here's mine
versioncheck-bg.addons.mozilla.org:HSTS 0 18988 1640586546830,1,0,2
o.prod.theintercept.com:HSTS 0 18988 1640673010997,1,1,2
aus1.torproject.org:HSTS 0 18988 1656354740558,1,0,2
theintercept.com:HSTS 0 18988 1656354609146,1,1,2
I don't think privileged/system ones from extensions/apps matter, but websites being listed is an issue IMO. I loaded about a dozen websites (including intercept and torproject prioritizing onions), and this was the only one that landed [1]
In my test suite, all the Firefox SSSS's are blanked because all my FF profiles are set to sanitize on close and the one HSTS is linked to is "site settings" - however, that is not available in options when in TB which uses PB Mode (and I doubt the prefs would work anyway)
[1] which is weird because I included TZP in that and TZP was listed in some of my TB test suite profiles so IDK who/how/what gets written there - it seems to only ever be eTLD/+1's, never third parties
[2] see image my test suite - the TB ones are now blank, because I did that before testing, so I can't look anything up retro-actively (and I only ever use these to load TZP), but given I can STR I don't care