哪个浏览器使用哪个HSTS预加载列表? [英] Which HSTS preload list is used by which browser?
问题描述
我一直在使用HSTS预加载列表阅读有关Google和Firefox的各种信息.
I've been reading various informations about Google and Firefox using an HSTS preload list.
- 似乎这里有一个通用列表: https://hstspreload.org/
- 并且Chrome在这里使用了Chromium的其中一个: https://www.chromium.org/hsts/
- ,Firefox在这里使用一个: https://dxr.mozilla.org/comm -central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc
- it seems that there is a generic list here : https://hstspreload.org/
- and that Chrome uses the one from Chromium here : https://www.chromium.org/hsts/
- and Firefox uses the one here : https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc
Safari或Opera是否使用HSTS预加载列表?哪一个 ?上面引用的3个列表之间有什么关系?
Does Safari or Opera use a HSTS preload list ? Which one ? What is the relationship between the 3 list cited above ?
谢谢
推荐答案
HSTS 由Chromium/Google管理 在 https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json .
The defacto central master list for HSTS is managed by Chromium / Google at https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json .
可在 Wikipedia . 由于是封闭源,因此似乎无法获得有关Opera,Safari,IE等如何处理其预加载列表的信息.
A list of Browsers supporting HSTS (and presumably having preload lists) can be found at Wikipedia. Being closed source, information on how Opera, Safari, IE, etc. handle their preloaded lists seem to be unavailable.
The Microsoft Edge Team state in their Blog, that
与其他已实现此功能的浏览器一样,Microsoft Edge和Internet Explorer 11的预加载列表基于Chromium HSTS预加载列表.
对于Firefox,该列表位于/source/mozilla/该文件生成了security/manager/ssl/nsSTSPreloadList.inc
/source/mozilla/security/manager/tools/getHSTSPreloadList.js ,我们可以从那一行看到
For Firefox, the list at /source/mozilla/security/manager/ssl/nsSTSPreloadList.inc is generated by the file
/source/mozilla/security/manager/tools/getHSTSPreloadList.js, where we can see from the line
const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";
它只是主列表"的一个副本,已解析为Firefox`格式. 它所做的只是为列表中的每个域提供一个额外的验证运行,并具有所需的HSTS标头(通过连接到它;它似乎每天从vcs日志中执行).
that it is merely a clone of the "master list", parsed into Firefox` format. All it does is an additional verification run for each domain in the list to be available and have the required HSTS header (by connecting to it; which it seems to do daily, from the vcs log).
Palemoon 遵循此过程,其他浏览器供应商也可能会执行相同的. 因此,您的列表之间的关系似乎是:只有一个.
Palemoon follows this procedure and it is likely that other browser vendors do the same. So it seems the relationship between your lists is: there is only one.
这篇关于哪个浏览器使用哪个HSTS预加载列表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
