[HTTPS-E Rulesets] More to GoogleAPIs.xml
Osama Khalid
osamak at gnu.org
Wed May 18 15:52:33 PDT 2011
Currently, accessing URLs like http://google.com/uds would redirect
the user to http://www.google.com/uds which will be rewritten to
https://www.google.com/uds. This makes these URLs theoretically
vulnerable.
This patch fixes that on the URLs Google would normally redirect.
Plus, it adds a rule for www.google.com/chart.
--Osama Khalid
-------------- next part --------------
diff --git a/src/chrome/content/rules/GoogleAPIs.xml b/src/chrome/content/rules/GoogleAPIs.xml
index 91da3c1..fdca891 100644
--- a/src/chrome/content/rules/GoogleAPIs.xml
+++ b/src/chrome/content/rules/GoogleAPIs.xml
@@ -9,6 +9,7 @@
<target host="webcache.googleusercontent.com" />
<target host="static.googleusercontent.com" />
<target host="api.recaptcha.net" />
+ <target host="google.com" />
<target host="www.google.com" />
<target host="gstatic.com" />
<target host="*.gstatic.com" />
@@ -44,12 +45,14 @@
to="https://webcache.googleusercontent.com/"/>
<rule from="^http://api\.recaptcha\.net/"
to="https://www.google.com/recaptcha/api/"/>
- <rule from="^http://www\.google\.com/recaptcha/"
+ <rule from="^http://(www\.)?google\.com/recaptcha/"
to="https://www.google.com/recaptcha/"/>
<rule from="^http://www\.google\.com/calendar/embed"
to="https://www.google.com/calendar/embed"/>
- <rule from="^http://www\.google\.com/uds"
+ <rule from="^http://(www\.)?google\.com/uds"
to="https://www.google.com/uds"/>
+ <rule from="^http://(www\.)?google\.com/chart"
+ to="https://www.google.com/chart"/>
<!-- jsapi was causing problems on some sites that embed google maps:
https://trac.torproject.org/projects/tor/ticket/2335
@@ -58,10 +61,10 @@
to="https://www.google.com/jsapi"/>
-->
- <rule from="^http://www\.google\.com/buzz"
+ <rule from="^http://(www\.)?google\.com/buzz"
to="https://www.google.com/buzz"/>
- <rule from="^http://www\.google\.com/afsonline/"
+ <rule from="^http://(www\.)?google\.com/afsonline/"
to="https://www.google.com/afsonline/"/>
<rule from="^http://gdata\.youtube\.com/"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20110519/280333be/attachment.sig>
More information about the HTTPS-Everywhere-Rules
mailing list