Apple has moved to block an abuse vector in the WebKit framework that underpins its Safari browser and allows HSTS to be abused to act as a ‘supercookie’ for user tracking. HSTS – HTTP Strict Transport Security – allows a Web site to declare to browsers that it’s only accessible via HTTPS. If a user tries to hit the HTTP-only version of a site, they’ll be redirected to the HTTPS service. The bug in that feature was that a site could use the redirect information to act as a tracking supercookie, because the HSTS standard stipulates that Web browsers should remember a redirection for future use.

View full story