Which HSTS preload list is used by which browser?

Question

I've been reading various informations about Google and Firefox using an HSTS preload list.

• it seems that there is a generic list here : https://hstspreload.org/
• and that Chrome uses the one from Chromium here : https://www.chromium.org/hsts/
• and Firefox uses the one here : https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc

Does Safari or Opera use a HSTS preload list ? Which one ? What is the relationship between the 3 list cited above ?

Thank you

Answer 1

The defacto central master list for HSTS is managed by Chromium / Google at https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json .

A list of Browsers supporting HSTS (and presumably having preload lists) can be found at Wikipedia. Being closed source, information on how Opera, Safari, IE, etc. handle their preloaded lists seem to be unavailable.

The Microsoft Edge Team state in their Blog, that

Like other browsers which have implemented this feature, Microsoft Edge and Internet Explorer 11 base their preload list on the Chromium HSTS preload list.

For Firefox, the list at /source/mozilla/security/manager/ssl/nsSTSPreloadList.inc is generated by the file /source/mozilla/security/manager/tools/getHSTSPreloadList.js, where we can see from the line

const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";

that it is merely a clone of the "master list", parsed into Firefox` format. All it does is an additional verification run for each domain in the list to be available and have the required HSTS header (by connecting to it; which it seems to do daily, from the vcs log).

Palemoon follows this procedure and it is likely that other browser vendors do the same. So it seems the relationship between your lists is: there is only one.