[HTTPS-E Rulesets] Misc ruleset suggestions and additions
Christopher Liu
cmliu00151 at gmail.com
Sun Jul 3 20:19:51 PDT 2011
To whom it may concern:
I have read over the rulesets supplied with the 1.0.0development.2
build, though I've been working on some of the rulesets below since
about 0.9.9development.4 and have previously been busy with
schoolwork.
Attached are the following new or modified rulesets, explained below.
(I have given each file an extension of .txt to prevent browsers etc.
from trying to parse the XML. In the explanations, I have inserted
spaces into domain names to prevent hyperlinking, and "HTTPS only"
means "redirects HTTP requests to HTTPS.")
Everything is tested to the best of my ability except where otherwise stated.
*Adblock Plus: reports. adblockplus. org added.
*Apple: discussions. apple. com added (to protect against
sslstripping; it is currently HTTPS only).
*Bitly: bitly. pro added (note absence of a period compared to bit.
ly. pro; such a link formerly existed on the bit. ly homepage). Note
that the homepage has moved to bitly. com. I have not changed the
securecookie because there are some subdomains like blog. bitly. com
which still need to be tested for HTTPS support.
*Caltech: New ruleset. Except for www. its. caltech. edu, my ability
to test is limited because I have graduated from Caltech and am now
attending UCSD.
*DuckDuckGo: ddg. gg added (a redirector intended for quick access to
the homepage)
*GNOME: bugzilla. gnome. org added (to protect against sslstripping;
it is currently HTTPS only)
*Khronos Group: Quick-and-dirty new ruleset for the part of the site
that officially claims HTTPS support. Still need to try a more general
rule
*Mozilla: crash-stats. mozilla. com and drumbeat. org added. Note that
crash-stats. mozilla. com is now HTTPS only. I have also merged in the
GetPersonas and Mozdev rulesets (sorry if you disagree with this) and
added bugzilla. mozdev. org
*NanoHUB: New ruleset.
*Scroogle: The "Scroogle homepage in HTTPS" change from version 0.2.2
is an excessive loss of functionality, as there are various
explanatory pages linked from the normal homepage but not the SSL
"homepage" nor search results. I have modified these rules to what I
believe was intended. The single nbbw.cgi rule covers both GET and
POST requests (note the lack of $ at the end).
*UCSD: I started working on this ruleset before your version appeared
in the development branch. It is fairly comprehensive but has some
TODOs in comments (preferably to be addressed by other UCSD students).
Also, some functions intended for faculty/staff have not been
thoroughly tested.
*USPS: Added moversguide, fast, and gateway-cat subdomains (all are
already HTTPS only, and the latter two are intended only for business
users)
*Wikipedia: added wikimediafoundation. org and wikimedia.org, also a
redirector to bugzilla
*YouTube (2 rulesets): The "partial" version is designed to be safe to
enable by default, but it lacks protection for embedded videos. The
"testing" a.k.a "+" version is based on the existing YouTube ruleset,
with the ytimg. com parts replaced by the corresponding rules from
ytimg.com.xml, and an additional exclusion I found necessary. In both
cases, I have removed the &feature=youtu.be parameter from the
youtu.be rules because it really serves no function other than
tracking and would be undesired by privacy-minded users.
Some comments on existing rulesets (not attached to this email) are below:
*Blockbuster: Name needs to specifically state that it is for the UK
version of the site, as opposed to the US version
*EdUbuntu: There is a bogus securecookie element referring to
milkandmore. co. uk
*FFMPEG: Should probably be removed entirely given that there are
problems beyond the certificate; what's the policy on this?
*Google Search: The domain clients6. google. com exists and ought to
have corresponding target elements added, though it doesn't appear to
be used for any purpose that would hit this ruleset.
*GoogleAPIs: The rule for gdata. youtube. com breaks some embedded
videos, and the issue is not resolved by excluding crossdomain.xml on
that domain. Examples of affected videos occur on the www.bored.com
homepage in the "Upcoming Games" box. Also, the comment about
appending &strip=1 to cache URLs seems to belong in GoogleServices.
*GoogleServices: Should there be an exclusion for pagead2.
googlesyndication. com/crossdomain.xml? Discussion about the domain
and various Flash video content can be found on several
Adblock-related forums.
*Groupon: Name needs to specifically state that it is for the UK/DE
versions of the site, as opposed to the US version
*MapQuest: Please disable - site seems to be completely inaccessible
in HTTPS (unable to establish any connection at all). Maybe related to
a recent redesign? Note that I have only tested www. mapquest. com as
I have no testcase handy for the APIs.
*McAfee: Rule is missing for mcafee. com (without the www)
*Pastebin.ca: Please disable or remove because the site seems to have
shut down. I recall that the HTTPS access broke a couple of weeks
before the plain HTTP access - in any case, it isn't working now.
*Pastebin. com: Is a clearer comment possible? The HTTPS access was
always intended for premium subscribers only; perhaps they changed
their method of enforcing this requirement (e.g. dropping connections
instead of redirecting to HTTP)? Might it help if a premium subscriber
tests this?
*Pizzahut: Name needs to specifically state that it is for the UK
version of the site, as opposed to the US version
*RadioShack: Please add a comment saying that most HTTPS requests
redirect back to HTTP. I'm not sure whether this is grounds for
disabling; nothing breaks because the redirect-loop detection is doing
its job correctly.
*SANS: Something should be done about the old isc. sans. org homepage.
It is probably safe to redirect said homepage to isc. sans. edu; not
sure about any subpages.
*SICS: The original submitter forgot to include a target element to
cover www. sics. se (with the www). Also, the unnecessary
capitalization should be removed for style reasons.
*Swiss: The question marks in the second and third rules seem to be unnecessary.
*TwitPic: The comment is inaccurate because the images themselves are
hosted on Amazon S3. There is of course other mixed content on the
site, but I don't recall the details.
As a style guideline, I suggest avoiding the inclusion of TLDs in
ruleset names except where necessary for disambiguation.
Thank you for your time and effort.
C. Liu
-------------- next part --------------
<ruleset name="AdblockPlus">
<target host="adblockplus.org"/>
<target host="*.adblockplus.org"/>
<securecookie host="^(.*\.)?adblockplus\.org$" name=".*" />
<rule from="^http://(www\.)?adblockplus\.org/" to="https://adblockplus.org/"/>
<rule from="^http://(easylist|easylist-downloads|hg|reports)\.adblockplus\.org/" to="https://$1.adblockplus.org/"/>
</ruleset>
-------------- next part --------------
<ruleset name="Apple.com (partial)">
<target host="www.apple.com" />
<target host="apple.com" />
<target host="developer.apple.com" />
<target host="connect.apple.com" />
<target host="images.apple.com" />
<target host="jobs.apple.com" />
<target host="support.apple.com" />
<target host="discussions.apple.com" />
<rule from="^http://(www\.)?apple\.com/" to="https://www.apple.com/"/>
<rule from="^http://developer\.apple\.com/" to="https://developer.apple.com/"/>
<rule from="^http://connect\.apple\.com/" to="https://connect.apple.com/"/>
<rule from="^http://images\.apple\.com/" to="https://ssl.apple.com/"/>
<rule from="^http://jobs\.apple\.com/" to="https://jobs.apple.com/"/>
<rule from="^http://support\.apple\.com/" to="https://support.apple.com/"/>
<rule from="^http://discussions\.apple\.com/" to="https://discussions.apple.com/" />
</ruleset>
-------------- next part --------------
<ruleset name="bit.ly">
<target host="bit.ly" />
<target host="www.bit.ly" />
<target host="bit.ly.pro" />
<target host="www.bit.ly.pro" />
<target host="bitly.pro" />
<target host="www.bitly.pro" />
<target host="j.mp" />
<target host="www.j.mp" />
<target host="on.fb.me" />
<target host="bitly.com" />
<target host="www.bitly.com" />
<securecookie host="^(.*\.)?bit\.ly$" name=".*"/>
<rule from="^http://(?:www\.)?bit\.ly/" to="https://bit.ly/"/>
<rule from="^http://(?:www\.)?bitly\.com/" to="https://bitly.com/" />
<rule from="^http://(?:www\.)?bit\.?ly\.pro/" to="https://bitly.com/pro/"/>
<!--
j.mp doesn't have a correct certificate but the namespaces are the same!
-->
<rule from="^http://(?:www\.)?j\.mp/" to="https://bit.ly/"/>
<rule from="^http://on\.fb\.me/" to="https://bit.ly/"/>
</ruleset>
-------------- next part --------------
<ruleset name="Caltech">
<!-- normally https only; protect against SSL stripping -->
<target host="access.caltech.edu" />
<target host="courses.caltech.edu" />
<target host="irsecure.caltech.edu" /><!-- mixed content from www.alumni.caltech.edu -->
<target host="mail.alumni.caltech.edu" />
<target host="utils.its.caltech.edu" />
<target host="webmail.caltech.edu" />
<target host="webvpn.caltech.edu" />
<!-- XXX: These sites are only for faculty and/or staff. See System Status on www.imss.caltech.edu.
Some may require Internet Explorer, so this list may not be useful.
The following need to be investigated: outlookweb, kronos, kronoslimited, fiji, jobs -->
<target host="techne1.caltech.edu" />
<target host="business-query.caltech.edu" />
<!-- <target host="solutions.sciquest.com" /> safe? -->
<target host="nassau.caltech.edu" />
<target host="pcard.caltech.edu" />
<target host="scriptor.caltech.edu" />
<!-- These two enforce HTTPS by redirecting HTTP requests to HTTPS, but they are self-signed. What is the policy on this? -->
<target host="courses.hss.caltech.edu" />
<target host="dabney.caltech.edu" />
<!-- supports https but doesn't use it by default -->
<target host="www.its.caltech.edu" /><!-- some pages weren't designed w/ https in mind and have insecure third-party content -->
<!-- redirectors -->
<target host="www.access.caltech.edu" />
<target host="its.caltech.edu" />
<target host="moodle.caltech.edu" />
<rule from="^http://(www\.)?access\.caltech\.edu/" to="https://access.caltech.edu/" />
<rule from="^http://(courses|moodle)\.caltech\.edu/" to="https://courses.caltech.edu/" />
<rule from="^http://irsecure\.caltech\.edu/" to="https://irsecure.caltech.edu/" />
<rule from="^http://mail\.alumni\.caltech\.edu/" to="https://mail.alumni.caltech.edu/" />
<rule from="^http://utils\.its\.caltech\.edu/" to="https://utils.its.caltech.edu/" />
<rule from="^http://webmail\.caltech\.edu/" to="https://webmail.caltech.edu/" />
<rule from="^http://webvpn\.caltech\.edu/" to="https://webvpn.caltech.edu/" />
<rule from="^http://techne1\.caltech\.edu/" to="https://techne1.caltech.edu/" />
<rule from="^http://business-query\.caltech\.edu:8181/" to="https://business-query.caltech.edu:8181/" />
<rule from="^http://nassau\.caltech\.edu:4444/" to="https://nassau.caltech.edu:4444/" />
<rule from="^http://pcard\.caltech\.edu/" to="https://pcard.caltech.edu/" />
<rule from="^http://scriptor\.caltech\.edu/" to="https://scriptor.caltech.edu/" />
<rule from="^http://courses\.hss\.caltech\.edu/" to="https://courses.hss.caltech.edu/" />
<rule from="^http://dabney\.caltech\.edu/" to="https://dabney.caltech.edu/" />
<rule from="^http://(www\.)?its\.caltech\.edu/" to="https://www.its.caltech.edu/" />
</ruleset>
-------------- next part --------------
<ruleset name="DuckDuckGo">
<target host="duckduckgo.com" />
<target host="*.duckduckgo.com" />
<target host="ddg.gg" />
<target host="duck.co" />
<rule from="^http://duckduckgo\.com/" to="https://duckduckgo.com/"/>
<rule from="^http://([^/:@]*)\.duckduckgo\.com/" to="https://$1.duckduckgo.com/"/>
<!-- TODO: What does ddg.gg/foo do? Runs query foo, redirects to homepage, or error? -->
<rule from="^http://ddg\.gg/$" to="https://duckduckgo.com/" />
<rule from="^http://duck\.co/" to="https://duck.co/" />
</ruleset>
-------------- next part --------------
<ruleset name="GNOME">
<target host="bugzilla.gnome.org" />
<target host="mail.gnome.org" />
<target host="live.gnome.org" />
<rule from="^http://(bugzilla|mail|live)\.gnome\.org/" to="https://$1.gnome.org/" />
</ruleset>
-------------- next part --------------
<!-- pages outside the specs folder still need testing and are known to have plaintext from gallery.mailchimp.com -->
<ruleset name="Khronos Group (partial)">
<target host="khronos.org" />
<target host="www.khronos.org" />
<rule from="^http://(www\.)?khronos\.org/registry/(.+)/specs/" to="https://www.khronos.org/registry/$2/specs/" />
</ruleset>
-------------- next part --------------
<!-- BOOOO: Firefox.com (which some download links pass through) is in
HTTP only... -->
<ruleset name="Mozilla">
<target host="mozilla.org" />
<target host="*.mozilla.org" />
<target host="mozilla.com" />
<target host="*.mozilla.com" />
<target host="mozillalabs.com" />
<target host="*.mozillalabs.com" />
<target host="mozillamessaging.com" />
<target host="www.mozillamessaging.com" />
<target host="planet.mozillamessaging.com" />
<target host="drumbeat.org" />
<target host="www.drumbeat.org" />
<target host="getpersonas.com" />
<target host="www.getpersonas.com" />
<target host="mozdev.org"/>
<target host="bugzilla.mozdev.org" />
<target host="hg.mozdev.org"/>
<target host="www.mozdev.org"/>
<rule from="^http://mozilla\.org/" to="https://www.mozilla.org/"/>
<rule from="^http://(addons|bzr|communitystore|creative|developer|directory|donate|education|firefoxlive|ftp|intlstore|krakenbenchmark|lists|l10n|localize|hacks|hg|labs|mail|mpl|mxr|nightly|planet|studentreps|quality|wiki|www|www-archive)\.mozilla\.org/" to="https://$1.mozilla.org/"/>
<rule from="^http://mozilla\.com/" to="https://www.mozilla.com/"/>
<rule from="^http://(blog|crash-stats|input|people|support|www)\.mozilla\.com/" to="https://$1.mozilla.com/"/>
<rule from="^http://(www\.)?mozillalabs\.com/" to="https://mozillalabs.com/"/>
<rule from="^http://(apps|bespin|bespinplugins|gaming|heatmap|jetpack|testpilot)\.mozillalabs\.com/" to="https://$1.mozillalabs.com/"/>
<rule from="^http://mozillamessaging\.com/" to="https://mozillamessaging.com/"/>
<rule from="^http://(planet|www)\.mozillamessaging\.com/" to="https://$1.mozillamessaging.com/"/>
<rule from="^http://(www\.)?drumbeat\.org/" to="https://www.drumbeat.org/" />
<rule from="^http://(www\.)?getpersonas\.com/" to="https://www.getpersonas.com/" />
<rule from="^http://mozdev\.org/" to="https://mozdev.org/"/>
<rule from="^http://bugzilla\.mozdev\.org/" to="https://www.mozdev.org/bugs/" />
<rule from="^http://(hg|www)\.mozdev\.org/" to="https://$1.mozdev.org/"/>
</ruleset>
-------------- next part --------------
<ruleset name="NanoHUB">
<target host="nanohub.org" />
<target host="www.nanohub.org" />
<rule from="^http://(www\.)?nanohub.org/" to="https://nanohub.org/" />
</ruleset>
-------------- next part --------------
<ruleset name="Scroogle">
<target host="www.scroogle.org" />
<target host="scroogle.org" />
<rule from="^http://(www\.)?scroogle\.org/cgi-bin/nbbw\.cgi" to="https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi"/>
<rule from="^http://(www\.)?scroogle\.org/cgi-bin/scraper\.htm$" to="https://ssl.scroogle.org/" />
<rule from="^http://(www\.)?scroogle\.org/langsup8\.html$" to="https://ssl.scroogle.org/langsup8.html" />
</ruleset>
-------------- next part --------------
<ruleset name="UCSD">
<!-- quikpayasp.com (E-Check) and services.jsatech.com (TritonCash) need separate
rulesets because these domains also provide services for other universities.
Does uc.sumtotalsystems.com (ultimate destination of uclearning) belong here,
or do other UCs use it too?
-->
<!-- normally https only; protect against sslstripping -->
<target host="a4.ucsd.edu" />
<target host="acs-webmail.ucsd.edu" />
<target host="altng.ucsd.edu" />
<target host="cinfo.ucsd.edu" />
<target host="facilities.ucsd.edu" />
<target host="graduateapp.ucsd.edu" />
<target host="myucsdchart.ucsd.edu" />
<target host="sdacs.ucsd.edu" />
<target host="shs.ucsd.edu" />
<!-- TODO <target host="ucsdbkst.ucsd.edu" /> classification? -->
<!-- supports https but normally uses it only in special circumstances -->
<target host="acms.ucsd.edu" />
<target host="roger.ucsd.edu" />
<!-- TODO <target host="www-no.ucsd.edu" /> classification? -->
<!-- supports https but doesn't use it by default -->
<target host="www-cse.ucsd.edu" />
<!-- only some features support https; protect them against sslstripping -->
<target host="hds.ucsd.edu" />
<target host="health.ucsd.edu" /><!-- needs testing for further https support -->
<target host="libraries.ucsd.edu" />
<target host="studenthealth.ucsd.edu" /><!-- warning, signed by ipsCA -->
<!-- TODO <target host="ted.ucsd.edu" /> supersedes webctweb -->
<!-- TODO <target host="webctweb.ucsd.edu" /> -->
<target host="www-act.ucsd.edu" />
<!-- redirectors - TODO: full Link Family list at http://blink.ucsd.edu/technology/help-desk/applications/link-family/list.html -->
<!-- TODO <target host="acs.ucsd.edu" /> not all pages redirect -->
<target host="accesslink.ucsd.edu" />
<target host="cri.ucsd.edu" />
<target host="desktop.ucsd.edu" />
<target host="financiallink.ucsd.edu" />
<target host="iwdc.ucsd.edu" />
<target host="mytritonlink.ucsd.edu" />
<target host="www.mytritonlink.ucsd.edu" />
<target host="resnet.ucsd.edu" />
<target host="software.ucsd.edu" />
<target host="sysstaff.ucsd.edu" />
<target host="tritonlink.ucsd.edu" />
<target host="www.tritonlink.ucsd.edu" />
<target host="uclearning.ucsd.edu" />
<!-- TODO <target host="webct.ucsd.edu" /> behavior when logged in vs. out-->
<target host="www-acs.ucsd.edu" />
<securecookie host="^(.+\.)?a(4|cs-webmail)\.ucsd\.edu$" name=".*" />
<rule from="^http://a4\.ucsd\.edu/" to="https://a4.ucsd.edu/" />
<rule from="^http://acs-webmail\.ucsd\.edu/" to="https://acs-webmail.ucsd.edu/" />
<rule from="^http://altng\.ucsd\.edu/" to="https://altng.ucsd.edu/" />
<rule from="^http://cinfo\.ucsd\.edu/" to="https://cinfo.ucsd.edu/" />
<rule from="^http://facilities\.ucsd\.edu/" to="https://facilities.ucsd.edu/" />
<rule from="^http://graduateapp\.ucsd\.edu/" to="https://graduateapp.ucsd.edu/" />
<rule from="^http://myucsdchart\.ucsd\.edu/" to="https://myucsdchart.ucsd.edu/" />
<rule from="^http://sdacs\.ucsd\.edu/" to="https://sdacs.ucsd.edu/" />
<rule from="^http://shs\.ucsd\.edu/" to="https://shs.ucsd.edu/" />
<rule from="^http://acms\.ucsd\.edu/" to="https://acms.ucsd.edu/" />
<rule from="^http://roger\.ucsd\.edu/" to="https://roger.ucsd.edu/" />
<rule from="^http://www-cse\.ucsd\.edu/" to="https://www-cse.ucsd.edu/" />
<rule from="^http://hds\.ucsd\.edu/(ARCH_WaitList/ARCHMainMenu\.aspx|conference/RequestInfo/|HospitalityExpress)"
to="https://hds.ucsd.edu/$1" />
<rule from="^http://health\.ucsd\.edu/request_appt/"
to="https://health.ucsd.edu/request_appt/" />
<rule from="^http://libraries\.ucsd\.edu/digital/"
to="https://libraries.ucsd.edu/digital/" />
<!-- NB: The line below attempts to protect a normally https-only area of the site against sslstripping. Cert error is unavoidable -->
<rule from="^http://studenthealth\.ucsd\.edu/secure/"
to="https://studenthealth.ucsd.edu/secure/" />
<rule from="^http://www-act\.ucsd\.edu/(bsl/home|cgi-bin/[A-Za-z]+link\.pl|mytritonlink/view|myTritonlink20/display\.htm|studentBilling|studentDirectDeposit|studentEBill|studentHealthWaiver)"
to="https://www-act.ucsd.edu/$1" />
<rule from="^http://accesslink\.ucsd\.edu/"
to="https://altng.ucsd.edu/" />
<!-- The redirectors shouldn't have subpages, but just in case, prevent anything like tritonlink.ucsd.edu/index.htm from 404ing -->
<rule from="^http://financiallink\.ucsd\.edu/(.*)$"
to="https://www-act.ucsd.edu/cgi-bin/financiallink.pl" />
<rule from="^http://(www\.)?(my)?tritonlink\.ucsd\.edu/(.*)$"
to="https://www-act.ucsd.edu/myTritonlink20/display.htm" />
<rule from="^http://uclearning\.ucsd\.edu/"
to="https://a4.ucsd.edu/lms/" />
<!-- all acms redirects below -->
<!-- TODO: These have subpages - resnet has been tested fairly well, but iwdc and possibly software need more testing.
cri ultimately redirects to the ACMS homepage because the CRI dept was closed, although this rule is correct for the initial bounce. That isn't our problem -->
<rule from="^http://(cri|desktop|iwdc|resnet|software|sysstaff)\.ucsd\.edu/"
to="https://acms.ucsd.edu/units/$1/" />
<!-- Some www-acs.ucsd.edu pages redirect to acms on a case-by-case basis. This is a work in progress -->
<rule from="^http://www-acs\.ucsd\.edu/$"
to="https://acms.ucsd.edu/index.shtml" />
<rule from="^http://www-acs\.ucsd\.edu/account-tools/oce-intro\.shtml$"
to="https://acms.ucsd.edu/students/oce-intro.shtml" />
<rule from="^http://www-acs\.ucsd\.edu/instructional/?$"
to="https://acms.ucsd.edu/students/" />
</ruleset>
-------------- next part --------------
<ruleset name="USPS">
<target host="usps.com" />
<target host="www.usps.com" />
<target host="shop.usps.com" />
<target host="moversguide.usps.com" />
<!-- These are only useful for business customers, but probably still worth listing here -->
<target host="fast.usps.com" />
<target host="gateway-cat.usps.com" />
<rule from="^http://(www\.)?usps\.com/" to="https://www.usps.com/"/>
<rule from="^http://(fast|gateway-cat|moversguide|shop)\.usps\.com/" to="https://$1.usps.com/"/>
</ruleset>
-------------- next part --------------
<!-- www.wikisomething.org is generally a valid
domain containing general information on a project and is
simply not available at all in HTTPS. Everything with a /wiki
suffix, however, is a language-specific page that is available in
HTTPS. Hence these rules avoid redirecting www.wikisomething.org,
while redirecting all language-specific subdomains. If you
navigate first to the WWW page, you could be vulnerable to SSL
stripping, but if you succeed in submitting a query from there
in a specific language without interference, you'll subsequently
be protected. -->
<ruleset name="Wikipedia">
<target host="*.wikipedia.org" />
<target host="*.wikinews.org" />
<target host="*.wikisource.org" />
<target host="*.wikibooks.org" />
<target host="*.wikiquote.org" />
<target host="*.wikiversity.org" />
<target host="*.wiktionary.org" />
<target host="*.wikimedia.org" />
<target host="mediawiki.org" />
<target host="www.mediawiki.org" />
<target host="wikimediafoundation.org" />
<target host="www.wikimediafoundation.org" />
<target host="wikimedia.org" />
<target host="www.wikimedia.org" />
<!-- TODO: What exclusions do we need for mobile sites, if any? -->
<exclusion pattern="^http://(dumps|download)\.wikimedia\.org/"/>
<exclusion pattern="^http://(static|download|m)\.wikipedia\.org/"/>
<exclusion pattern="^http://www\.wik(ipedia|inews|isource|ibooks|iquote|iversity|tionary)\.org/"/>
<!-- The mediazilla: interwiki prefix on a default MediaWiki installation
is outdated, wrongly pointing to http://bugzilla.wikipedia.org
which is normally a (vulnerable) redirect.
This has been corrected on Wikimedia Foundation wikis. -->
<rule from="^http://bugzilla\.wiki[mp]edia\.org/"
to="https://bugzilla.wikimedia.org/"/>
<rule from="^http://([^@:/]+)\.wik(ipedia|inews|isource|ibooks|iquote|iversity|tionary)\.org/(w|wiki)/"
to="https://secure.wikimedia.org/wik$2/$1/$3/"/>
<rule from="^http://([^@:/]+)\.wik(ipedia|inews|isource|ibooks|iquote|iversity|tionary)\.org/?$"
to="https://secure.wikimedia.org/wik$2/$1/wiki/"/>
<rule from="^http://(meta|commons|incubator|species|outreach|strategy|usability|wikimania|test|survey)\.wikimedia\.org/wiki/"
to="https://secure.wikimedia.org/wikipedia/$1/wiki/"/>
<rule from="^http://(www\.)?mediawiki.org/$"
to="https://secure.wikimedia.org/wikipedia/mediawiki/wiki/" />
<rule from="^http://(www\.)?mediawiki.org/(w|wiki)/"
to="https://secure.wikimedia.org/wikipedia/mediawiki/$2/" />
<rule from="^http://(www\.)?wikimediafoundation.org/$"
to="https://secure.wikimedia.org/wikipedia/foundation/wiki/" />
<rule from="^http://(www\.)?wikimediafoundation.org/(w|wiki)/"
to="https://secure.wikimedia.org/wikipedia/foundation/$2/" />
<!-- portal containing links to the English versions of all projects -->
<rule from="http://(www\.)wikimedia\.org/$"
to="https://secure.wikimedia.org/" />
</ruleset>
-------------- next part --------------
<ruleset name="YouTube+" default_off="breaks embedded videos">
<!-- Known sources of mixed content:
*Tracking requests made by Vevo/other monetized videos to www.youtube-nocookie.com
*googletagservices script: mostly videos w/ ads and user pages
*IPv6 testing (IFRAME from ipv6-exp.l.google.com subdomains): randomly
*User page backgrounds ^http://i[1-4]\.ytimg\.com/bg/ default to insecure HTTP, and they break when forced to HTTPS.
*Clicking a video's statistics button causes mixed content due to an old version of Google Charts API. (Fixed?)
The video bitstream itself doesn't support https, but Firefox doesn't warn about insecure object subrequests.
-->
<!-- Needs more testing:
-Some channel/rights-holder logos ^http://i[1-4]\.ytimg\.com/i/.+/1\.jpg seem not to use/support HTTPS, but some do.
-youtube-nocookie has bad cert: http://www.google.com/support/forum/p/youtube/thread?tid=0d4388331eea7870
Would rewriting it to youtube.com trip any XSRF protection? Same question for rewriting regional domains to the global www.
-->
<target host="youtube.com" />
<target host="www.youtube.com" />
<!--
<target host="youtube-nocookie.com" />
<target host="www.youtube-nocookie.com" />
-->
<target host="ads.youtube.com" />
<target host="insight.youtube.com" />
<target host="s.ytimg.com" />
<target host="i.ytimg.com" />
<target host="i1.ytimg.com" />
<target host="i2.ytimg.com" />
<target host="i3.ytimg.com" />
<target host="i4.ytimg.com" />
<target host="youtu.be" />
<exclusion pattern="^http://(www\.)?youtube\.com/crossdomain\.xml"/>
<rule from="^http://(www\.)?youtube\.com/" to="https://www.youtube.com/"/>
<rule from="^http://(ads|insight)\.youtube\.com/" to="https://$1.youtube.com/" />
<exclusion pattern="^http://i[1-4]\.ytimg\.com/bg/" />
<rule from="^http://(s|i([1-4]){0,1})\.ytimg\.com/" to="https://$1.ytimg.com/" />
<!-- We strip any additional parameters if they exist. (I recall seeing ?a somewhere.) Need to find documentation of such parameters.
Also, the target normally contains a tracking parameter &feature=youtu.be but we probably don't want that. -->
<rule from="^http://youtu\.be/(\w{11})(.*)$" to="https://www.youtube.com/watch?v=$1" />
</ruleset>
-------------- next part --------------
<ruleset name="YouTube (partial)">
<!-- Known sources of mixed content:
*Tracking requests made by Vevo/other monetized videos to www.youtube-nocookie.com
*googletagservices script: mostly videos w/ ads and user pages
*IPv6 testing (IFRAME from ipv6-exp.l.google.com subdomains): randomly
*User page backgrounds ^http://i[1-4]\.ytimg\.com/bg/ default to insecure HTTP, and they break when forced to HTTPS.
*Clicking a video's statistics button causes mixed content due to an old version of Google Charts API. (Fixed?)
The video bitstream itself doesn't support https, but Firefox doesn't warn about insecure object subrequests.
-->
<!-- Needs more testing:
-Some channel/rights-holder logos ^http://i[1-4]\.ytimg\.com/i/.+/1\.jpg seem not to use/support HTTPS, but some do.
-youtube-nocookie has bad cert: http://www.google.com/support/forum/p/youtube/thread?tid=0d4388331eea7870
Would rewriting it to youtube.com trip any XSRF protection? Same question for rewriting regional domains to the global www.
-->
<target host="youtube.com" />
<target host="www.youtube.com" />
<!--
<target host="youtube-nocookie.com" />
<target host="www.youtube-nocookie.com" />
-->
<target host="ads.youtube.com" />
<target host="insight.youtube.com" />
<target host="youtu.be" />
<rule from="^http://(www\.)?youtube\.com/$" to="https://www.youtube.com/" />
<!-- http://www.youtube.com/?v=foo normally redirects to http://www.youtube.com/watch?v=foo -->
<rule from="^http://(www\.)?youtube\.com/\?v="
to="https://www.youtube.com/watch?v=" />
<!-- This whitelist approach won't break embeds, but it won't protect them either.
Some of the items were obtained by looking at robots.txt and may no longer be in use. -->
<!-- TODO: I'm not a registered YouTube user, so this list is incomplete. E.g. what URL is used for adding subscriptions? Finally, "live" needs more testing. -->
<rule from="^http://(www\.)?youtube\.com/(all_comments|artist|bulletin|comment|create|dev|forgot|img|inbox|index|live|login|playlist|profile|redirect|results|show|signin|signup|social|t/|user|verify_age|video_response_view_all|videos|view_play_list|watch|ytmovies)"
to="https://www.youtube.com/$2" />
<!-- Now attempt to handle user pages accessed without the "user" folder -->
<rule from="^http://(www\.)?youtube\.com/([A-Za-z0-9]+(#.*)?)$"
to="https://www.youtube.com/$2" />
<rule from="^http://(ads|insight)\.youtube\.com/" to="https://$1.youtube.com/" />
<!-- We strip any additional parameters if they exist. (I recall seeing ?a somewhere.) Need to find documentation of such parameters.
Also, the target normally contains a tracking parameter &feature=youtu.be but we probably don't want that. -->
<rule from="^http://youtu\.be/(\w{11})(.*)$"
to="https://www.youtube.com/watch?v=$1" />
</ruleset>
More information about the HTTPS-Everywhere-Rules
mailing list