The web browsers store sts header but I dont know exactly where. Where does chrome and firefox store sts header? And can a browser turn off the hsts protocol?
Not aware of anyway of turning off this feature in any browser.
Chrome has a nice screen to handle HSTS settings (including the ability to remove cached versions) by typing this into the address bar: "chrome://net-internals/#hsts".
For Firefox you clear the history and "forget about this site".
For more details see here: http://classically.me/blogs/how-clear-hsts-settings-major-browsers
Related
in this piece of HTML code
PARTECIPA
the opening of the website in the Microsoft Edge browser is indicated if installed on the device.
Can anyone help me? I would like the site to open in Google Chrome and not in Edge.
How should I edit this HTML?
To open the link using the Chrome browser instead of Microsoft Edge, you can change the value of href attribute like this: PARTECIPA. Assuming that Chrome browser is installed, that should open the Chrome browser.
Problem:
If Edge is not installed on the device (mob, desk or tab) it doesn't
work
In this case, it's best to simply use a standard URL without specifying a specific browser, like this. PARTECIPA. In addition, the "googlechrome:" protocol is not a standardized protocol and probably may not work in all devices. So, you can use a standardized URL like the code snippet I posted above and let the users device choose.
Do you know if instead of chrome I can specify "default browser"
Example PARTECIPA or
something similar?
There is no standard protocol for specifying the default browser. So, best approach is to simply use a standard URL without specifying a specific browser. But if you really want to use special web protocols inside hypertext links to force web pages or files to open with particular browsers on Windows or iOS, place browser-name before the hypertext reference link.
Check this:
Open in Google Chrome
Open in Microsoft Edge
Open in Mozilla Firefox
Open in Apple Safari
Open in Opera
This function does not work!
A similar example is for IOS, which works in the following way
Example :
PARTECIPA
Google has official documentation on the Chrome iOS app’s URI scheme on its developer website.
Simply replace http with googlechrome and https with googlechromes. This means:
http://www.google.com/ becomes googlechrome://www.google.com/
https://apple.stackexchange.com/ becomes googlechromes://apple.stackexchange.com/
Previously, it supported an x-callback-url of googlechrome-x-callback://. This allowed the calling app to indicate its name and URI scheme to Chrome, which would show a back button in the address bar that closes the tab and invokes the specified URI. This feature was removed a few years ago when iOS 9 added the “Back to …” button in the status bar (but the URI scheme still works).
I've been reading various informations about Google and Firefox using an HSTS preload list.
it seems that there is a generic list here : https://hstspreload.org/
and that Chrome uses the one from Chromium here :
https://www.chromium.org/hsts/
and Firefox uses the one here :
https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc
Does Safari or Opera use a HSTS preload list ? Which one ? What is the relationship between the 3 list cited above ?
Thank you
The defacto central master list for HSTS is managed by Chromium / Google
at https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json .
A list of Browsers supporting HSTS (and presumably having preload lists) can be found at Wikipedia.
Being closed source, information on how Opera, Safari, IE, etc. handle their preloaded lists seem to be unavailable.
The Microsoft Edge Team state in their Blog, that
Like other browsers which have implemented this feature, Microsoft Edge and Internet Explorer 11 base their preload list on the Chromium HSTS preload list.
For Firefox, the list at /source/mozilla/security/manager/ssl/nsSTSPreloadList.inc is generated by the file
/source/mozilla/security/manager/tools/getHSTSPreloadList.js, where we can see from the line
const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";
that it is merely a clone of the "master list", parsed into Firefox` format.
All it does is an additional verification run for each domain in the list to be available and have the required HSTS header (by connecting to it; which it seems to do daily, from the vcs log).
Palemoon follows this procedure and it is likely that other browser vendors do the same.
So it seems the relationship between your lists is: there is only one.
From your first link:
Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge)
also have HSTS preload lists based on the Chrome list. (See the HSTS
compatibility matrix.)
As of version 56 Chrome does not accept cookies in my setup. The setup is
https://login-with.now.sh is the "app"
https://login.now.sh is a authentication microservice which (on success) sets two cookies ("jwt" and "profile"). The Cookie Domain is set to "now.sh"
However, the cookies are visible in the response header (dev tools) but they don't appear back in the login-with.now.sh "app".
This did work with Chrome 55
It is still working with Safari, Firefox and Edge.
Is something wrong with my cookies or what is the matter here?
This is a bug in Chrome which is filed in the Chrome bugtracker.
Is there a firefox equivalent of chrome's inspector "Resources" tab? I am trying to delete something from localStorage for a web site in firefox but it won't go, and the standard settings->clear cahce don't affect it at all.
Check for this:
Enter about:cache in browser address and see "Offline cache device" section.
Firefox storage inspector lets you see local storage.
This seems to be the closest equivalent to the chrome resource tab.
I had to explicitly enable the tab in the Firefox Develop Tools Options to get it to show.
https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector
This example to load a url in an iframe works. However when I change url to something like http://www.yahoo.com the iframe doesn't load antyhing
Here is an example side by side.
In Network tab of developer tools for Chrome, I see that request to Yahoo was cancelled. In FF it doesn't give any errors, just doesn't return any content. IE9 gives a message that It cannot display this content.
This happens in Chrome, FF and IE9 (I haven't tested previous versions of IE).
That is because Yahoo itself prevents this from happening.
It has been noted here: https://stackoverflow.com/a/9013722/476786
To see for yourself, try setting the source to http://www.google.com/ which won't work as well, but then try http://www.bbc.co.uk/ and that will work.
Possibly works as described here: https://stackoverflow.com/a/2896705/476786 using X-FRAME-OPTIONS
If the site hosting the webpage forces the use of a secure HTTPS connection, some browsers (chrome for sure) will require that all network resources use HTTPS as well.
Basically if your site forces HTTPS, try setting src="https://yahoo.com"
This won't solve OP's answer directly due to it being a limitation of Yahoo itself, but other people viewing this page might be experiencing this issue as a result of this (I was).