[HTTPS-E Rulesets] Pull request for 4 new/updated rules; and an idea for coping with bad certificate CN/untrusted CAs/self-signed certs
Ondrej Mikle
ondrej.mikle at gmail.com
Sun Apr 29 06:19:37 PDT 2012
On 04/29/2012 06:13 AM, Peter Eckersley wrote:
> On Sat, Apr 28, 2012 at 04:52:02PM +0200, Ondrej Mikle wrote:
>
>> One question towards secure cookies: The reddit.com rule needs to define
>> <target host=".reddit.com">, otherwise some of the cookies won't be switched
>> to secure. Though I haven't seen anything like that in any other rule. Some
>> weird anomaly?
>
> ".reddit.com" is not a valid target host; it won't match anything.
Actually it does. Either of these <target> elements work with the securecookie
rule (tried 2.0.3 and latest 3.0.x master HEAD
e0980ca1a78188836d2164b5c0c99079a63a4c97):
<target host="*.reddit.com"/>
<target host=".reddit.com"/>
Not sure if such corner case is intended or not.
> You want <target host="*.reddit.com"> (if the cookie will be set by
> a.reddit.com, a.b.reddit.com, or a.b.c.reddit.com) and/or <target
> host="reddit.com"> (if the cookie will be set by reddit.com). Note that
> .reddit.com is not a domain name, so it can't ever be the domain that's
> setting a cookie.
OK I see that you already changed the target to "*.reddit.com", which works (and
doesn't look hackish).
Ondrej
More information about the HTTPS-Everywhere-Rules
mailing list