HTTP Strict Transport Security (HSTS) is a way to tell your visitors browser it should only load files from your domain over an https connection from now on.
This information is store- and collectable (bit by bit).
This is described here, here and even the RFC says about HSTS:
Such a technique could potentially be abused as yet another form of"web tracking" [WebTracking].
- You need a bunch of "trusted" (not self signed) SSL certificates for different domains or an "trusted" wildcard certificate.
- Every domain allows to store exactly one bit information in the users browser. So if you control 8 domains you can store values up to 255.
var domains = [
'http://a.test.bar/sec/hsts_tracking/hsts_cookie.php',
'http://b.test.bar/sec/hsts_tracking/hsts_cookie.php',
'http://c.test.bar/sec/hsts_tracking/hsts_cookie.php',
'http://d.test.bar/sec/hsts_tracking/hsts_cookie.php',
];
var hsts_cookie = HSTS_Cookie(domains);
var value = 5;
hsts_cookie.set_hsts_as_int(value, function(){
alert('Saved ' + value);
hsts_cookie.get_hsts_as_int(function(int_val){
alert('Loaded ' + int_val);
});
});
Or see hsts_cookie.html