[HTTPS-Everywhere] trailing / in a rule
Seth David Schoen
schoen at eff.org
Thu Jul 29 15:11:50 PDT 2010
James Nobis writes:
> I've seen rules with the trailing / and without it. I know that when
> you hit a web server if the trailing / is missing it generally adds an
> extra round trip in the form of a redirect, though it appears Firefox
> corrects this before requesting the url.
>
> What should or shouldn't rules do for the trailing /?
Hi,
There is a difference between the trailing slash at the top level,
like
https://www.eff.org/
and the trailing slash at some other level, like
http://www.cultura.gov.br/consultadireitoautoral/consulta/
A trailing slash should always be present at the top level because
this prevents cases where a rule inappropriately triggers on a
hostname that starts with the hostname of another site, like
eff.organizationsilike.net or google.communitiesonline.org or
whatever. Even if the user types the URL without the top-level
trailing slash, Firefox will provide it before it reaches HTTPS
Everywhere. Thus, a rule like
<rule from="^http://(www\.)?paypal\.com/" to="https://www.paypal.com/"/>
works correctly for all of
http://www.paypal.com/
http://www.paypal.com
http://paypal.com/
http://paypal.com
and avoids spuriously matching a hypothetical non-PayPal site with
a hostname that happens to begin with the string "paypal.com".
Slashes that are not at the top level are not required and the
appropriate behavior is site-dependent. In principle,
http://www.example.com/foo/ does not have to be the same resource
as http://www.example.com/foo and URLs may well be correct
without a trailing slash. For example
https://www.eff.org/deeplinks/2010/07/doj-pushing-expand-warrantless-access-internet
is a complete, correct URL. When writing rules that don't
operate exclusively at the top level of the site, you should
write the rules based on the actual behavior of the site they
relate to.
This is described more succinctly at
https://trac.torproject.org/projects/tor/ticket/1674
which is pointing out that the rules shipped with HTTPS Everywhere
don't all use a consistent style yet.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list