[HTTPS-Everywhere] Overriding warning about insecure form submission
Seth David Schoen
schoen at eff.org
Thu Jun 2 14:36:02 PDT 2011
A small number of sites have hardcoded form submission targets to
use HTTP URLs, which generates a warning that
Although this page is encrypted, the information you have entered is
to be sent over an unencrypted connection and could easily be read by
a third party.
Two current examples are
https://pay.reddit.com/
(enter something in the "search Reddit" box) and
https://www.abebooks.com/
(enter an author and click "Find Book").
Some, but not all, of the search boxes on EFF's own site had the same
problem until recently, but that's been fixed. I'm still planning to
try to get these other sites to fix it. But the interesting thing is
that, in each of these cases, HTTPS Everywhere successfully rewrites
the form submission URL and submits the form securely. So the warning
is actually wrong: the information is not going to be sent over an
unencrypted connection.
Is there a way to hook this path and disable the warning if the form
target would be rewritten to HTTPS?
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list