[HTTPS-E Rulesets] Enhancements - BrowserID, Costco, ImageShack, Wikimedia

Christopher Liu cmliu00151 at gmail.com
Thu Oct 18 17:54:40 PDT 2012 

To whom it may concern:

All these suggestions are valid for the rulesets as they exist in the
3.0 branch, except for part of ImageShack (where indicated).

BrowserID: The service appears to have moved to login.persona.org; the
browserid.org URLs still respond in https, redirecting there. Should
coverage be added accordingly?

Costco:
-www.costco.com currently uses images.costco.com (in
http)/secure-costco6.richfx.com (in https) for product images. We
should probably add a rule from the former to the latter, and/or a
trivial rewrite for the latter.
-These domains also support https: www2.costco.com, www9.costco.com
(used for tracking), www.costcotravel.com, www.costcofinance.com
-It appears that content.costco.com is now equivalent to
www2.costco.com; as before, the rule needs to match https in order to
fix any protocol-relative URLs that may be misused.
(For example, https://www2.costco.com/Service/FeaturePage.aspx?ProductNo=11486072&cm_re=Common-_-Top_Nav-_-Pharmacy
contains images from content;
https://www2.costco.com/Pharmacy/DrugInformation.aspx?p=1 contains a
tracking pixel from www9)

ImageShack:
It is possible for image URLs to have extraneous trailing slashes;
those need to be stripped when rewriting to
https://imageshack.us/a/... (e.g.
http://img9.imageshack.us/img9/7315/hayategradius.jpg/ ->
https://imageshack.us/a/img9/7315/hayategradius.jpg )
There is a domain a.imageshack.us that is also for image content (see
links to examples from
http://shmups.system11.org/viewtopic.php?p=607146#p607146 on down).
Thus the rule I submitted last time should be replaced with: <rule
from="^http://(?:a|img\d{1,3})\.imageshack\.us/(img\d{1,3}/\d+/\w+)\.(th\.)?(bmp|gif|jpe?g|png|tiff?)/?(\?|$)"
to="https://imageshack.us/a/$1.$2$3$4" />
Also, the kb.imageshack.us exclusion should probably be merged to the
3.0 branch, as it seems to be affected too.

Wikimedia: ganglia.wikimedia.org no longer seems to need an exclusion;
see https://ganglia.wikimedia.org/latest/

Thank you for your time and help.

C. Liu

More information about the HTTPS-Everywhere-Rules mailing list