Skip to content
Titanium Network

HSTS (Cisco, iboss)

Documentation for HSTS (Cisco, iboss).
By 9fps

If a blocking system requires both an extension and a Chrome App to function, the extension may communicate with the Chrome App over HTTP on the lo (local) network interface. If that’s the case, HSTS can most likely be used to bypass it.

Steps

Section titled “Steps”
  1. Verify that you have an extension that’s affected (if you don’t, it doesn’t hurt to go for it anyways, because this is easy to undo).
  2. Open chrome://net-internals on your school device.
  3. Go to the “Domain Security Policy” tab.
  4. Put 127.0.0.1 in the “Add HSTS domain“‘s “Domain” text box.
  5. Click “Add”.
  6. Repeat Steps 4 and 5, but use localhost instead of 127.0.0.1.
  7. Open chrome://restart.

Known Working Extensions

Section titled “Known Working Extensions”
  • Cisco Umbrella
  • iboss

Known Not Working Extensions

Section titled “Known Not Working Extensions”
  • Securly
  • GoGuardian
  • Anything that doesn’t have both a Chrome App and Extension

How this works

Section titled “How this works”

Most websites use HTTPS, but that’s impossible on localhost, so they have to use HTTP (since they can’t get a TLS certificate). Of course, when you start talking HTTPS with an HTTP server, it can’t understand, so if you use this, the extension and the app are effectively firewalled from each other, so the extension can’t ask the app whether a site should be blocked or not.