You can patch the browser to disable HSTS, but if you allow patching the browser to break the security intentionally, then all bets are off I'd say?
Surely the enforcement depends ultimately not on the browsers but rather on the server refusing non-TLS connection attempts?
No, HSTS capable browsers (Firefox and Chrome) will flatly refuse to connect if HSTS is in action. That's the whole idea and the defense against SSLstrip.
Surely the enforcement depends ultimately not on the browsers but rather on the server refusing non-TLS connection attempts?
No, HSTS capable browsers (Firefox and Chrome) will flatly refuse to connect if HSTS is in action. That's the whole idea and the defense against SSLstrip.