[HTTPS-E Rulesets] More to GoogleAPIs.xml

Osama Khalid osamak at gnu.org
Wed May 18 15:52:33 PDT 2011 

Currently, accessing URLs like http://google.com/uds would redirect
the user to http://www.google.com/uds which will be rewritten to
https://www.google.com/uds. This makes these URLs theoretically
vulnerable.

This patch fixes that on the URLs Google would normally redirect.

Plus, it adds a rule for www.google.com/chart.

--Osama Khalid
-------------- next part --------------
diff --git a/src/chrome/content/rules/GoogleAPIs.xml b/src/chrome/content/rules/GoogleAPIs.xml
index 91da3c1..fdca891 100644
--- a/src/chrome/content/rules/GoogleAPIs.xml
+++ b/src/chrome/content/rules/GoogleAPIs.xml
@@ -9,6 +9,7 @@
   <target host="webcache.googleusercontent.com" />
   <target host="static.googleusercontent.com" />
   <target host="api.recaptcha.net" />
+  <target host="google.com" />
   <target host="www.google.com" />
   <target host="gstatic.com" />
   <target host="*.gstatic.com" />
@@ -44,12 +45,14 @@
           to="https://webcache.googleusercontent.com/"/>
   <rule from="^http://api\.recaptcha\.net/"
           to="https://www.google.com/recaptcha/api/"/>
-  <rule from="^http://www\.google\.com/recaptcha/"
+  <rule from="^http://(www\.)?google\.com/recaptcha/"
           to="https://www.google.com/recaptcha/"/>
   <rule from="^http://www\.google\.com/calendar/embed"
           to="https://www.google.com/calendar/embed"/>
-  <rule from="^http://www\.google\.com/uds"
+  <rule from="^http://(www\.)?google\.com/uds"
           to="https://www.google.com/uds"/>
+  <rule from="^http://(www\.)?google\.com/chart"
+          to="https://www.google.com/chart"/>
 
 <!--  jsapi was causing problems on some sites that embed google maps:
       https://trac.torproject.org/projects/tor/ticket/2335
@@ -58,10 +61,10 @@
           to="https://www.google.com/jsapi"/>
           -->
 
-  <rule from="^http://www\.google\.com/buzz"
+  <rule from="^http://(www\.)?google\.com/buzz"
           to="https://www.google.com/buzz"/>
 
-  <rule from="^http://www\.google\.com/afsonline/"
+  <rule from="^http://(www\.)?google\.com/afsonline/"
           to="https://www.google.com/afsonline/"/>
 
   <rule from="^http://gdata\.youtube\.com/"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20110519/280333be/attachment.sig>

More information about the HTTPS-Everywhere-Rules mailing list