Deleting Chrome HSTS for facebook.com not working

4.1k views Asked by At

I am currently doing some debugging on my website which involves calling the facebook API.

I've installed dnsmasq to work with my mac os X to redirect all request to facebook.com to 127.0.0.1

I have a echo server which will print out all the raw http request header on port 80 on my laptop.

Now comes my problem. When I access facebook.com, I realize chrome will automatically forward http:// to https:// for facebook.com

I googled and found the way of deleting this HSTS issue. I visit chrome://net-internals#hsts to see something like this:

HSTS chrome image

After entering "facebook.com" under "Delete domain", I can still query "facebook.com" in the input box below.

I tried clearing all user data on chrome, closing and reopening chrome and even using incognito mode.

  • Why is chrome still redirecting all request to facebook.com to https?

  • How can I disable this if chrome://net-internals#hsts is not reliable?

2

There are 2 answers

0
Anand Bhat On BEST ANSWER

The text next to the Delete domain box on chrome://net-internals/#hsts clearly states that preloaded entries cannot be deleted. This feature request was closed as WontFix in the Chrome bug tracker.

Text showing "you cannot delete preloaded entries

facebook.com and quite a few of its subdomains are included in Chrome's preload list.

0
user7528775 On

You could use another domain name for your tests.

Just make api-calls to facebook-api-test.com, map that domain to localhost and proxy the calls.