Firefox "Preloaded List" is seeded with domains from Chrome's HSTS preloaded list of a similar function.
The list building procedure is thus: a request is sent to every host with the mode: "force-https" on Chrome's list. And only host that respond with a valid HSTS header and appropriate large max-age value get included in the list.
HSTS can be an effective tool for protecting the privacy and security of users and their data online.
The "preloaded list" makes it even harder to exploit, as when connecting to an HSTS host for the first time, the browser may not know whether to use secure connection or not, because it has never received a HSTS header from that host. Subsequently, an attacker could exploit that to prevent the browser from connecting securely and a user may never detect that. But, the "preloaded list" helps to mitigate this nature of attack.
Mozilla has called upon developers to download the recent build and give it a spin which is currently available in Firefox Beta.
Sign up here with your email