[HTTPS-Everywhere] Downgrade rules vs exclusions
Jacob S Hoffman-Andrews
jsha at eff.org
Fri Aug 15 11:33:52 PDT 2014
In trivial-validate.py we get a lot of warnings about rules that
redirect to HTTP. This seems like a normal thing, since some parts
of sites may not support HTTPS. But there's an alternate mechanism,
exclusions. Can anyone fill me in on why both mechanisms exist?
Would it be correct to reformulate all downgrade rules as exclusions
instead? Two examples below.
Fourmilab:
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/Fourmilab.xml#l32
<!-- Without the following downgrade rule, images requested via the URL
starting with http://www.fourmilab.com.ch/cgi-bin/uncgi/Earth? or
http://www.fourmilab.com.ch/cgi-bin/Earth? may not load completely.
(February 26, 2013.)
-->
<rule from="^https://(?:www\.)?fourmilab\.ch/cgi-bin/(?:uncgi/)?Earth\?"
to="http://www.fourmilab.ch/cgi-bin/Earth?" downgrade="1" />
Zipcar:
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/Zipcar.xml
<target host="*.zipcar.com" />
<exclusion pattern="http://members\.zipcar\.com/(?!apply|regist)" />
More information about the HTTPS-Everywhere
mailing list