[HTTPS-Everywhere] HTTPS to HTTP form submission warnings
Richard Fussenegger, BSc
richard at fussenegger.info
Wed Aug 27 12:53:30 PDT 2014
I found an actual live site with the problem: https://giphy.com/
Richard
On 8/20/2014 8:30 PM, Jacob S Hoffman-Andrews wrote:
> I wasn't able to reproduce this prompt on Tumblr, in a fresh FF31.0
> profile with only HTTPS Everywhere installed. Is there another site
> that reproduces reliably?
>
> I would be mildly in favor of search the page after load for form
> elements where action points to an insecure URL that we can rewrite.
> I'm more on the fence about rewriting the whole page. It might enabled
> us to re-enable some rulesets that were disabled for MCB, but it would
> work pretty inconsistently because of JavaScript insertions and runs
> the risk of moving HTTPS Everywhere from "slow" to "really slow."
>
> On 08/20/2014 02:27 PM, Nick Semenkovich wrote:
>> Chrome now warns about this too, per:
>>
>> https://code.google.com/p/chromium/issues/detail?id=253249
>>
>> Looks like it's on the beta channel (M37) which will probably hit
>> stable in ~one month.
>>
>> On Wed, Aug 20, 2014 at 1:10 PM, Richard Fussenegger, BSc
>> <richard at fussenegger.info <mailto:richard at fussenegger.info>> wrote:
>>
>> This topic was already raised once in the past (see
>> https://lists.eff.org/pipermail/https-everywhere/2011-June/000914.html)
>> but I'd like to discuss it again because it's pretty annoying and
>> might even be disturbing to new users of the extension.
>>
>> I found that the main problem are websites that have the scheme
>> hard coded on form action attributes. I therefore propose that
>> the extension could parse the page and rewrite any URL pointing
>> to the current domain that has the http scheme set instead of the
>> secure one. I'm also willing to produce this feature but I don't
>> know if this is even possible with an extension like
>> HTTPS-Everywhere. You might be able to answer this or maybe you
>> have some arguments why this would be a bad idea.
>>
>> Richard
>> _______________________________________________
>> HTTPS-Everywhere mailing list
>> HTTPS-Everywhere at lists.eff.org
>> <mailto:HTTPS-Everywhere at lists.eff.org>
>> https://lists.eff.org/mailman/listinfo/https-everywhere
>>
>>
>>
>>
>> --
>> Nick Semenkovich
>> Laboratory of Dr. Jeffrey I. Gordon
>> Medical Scientist Training Program
>> School of Medicine
>> Washington University in St. Louis
>> https://nick.semenkovich.com/
>>
>>
>> _______________________________________________
>> HTTPS-Everywhere mailing list
>> HTTPS-Everywhere at lists.eff.org
>> https://lists.eff.org/mailman/listinfo/https-everywhere
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140827/948f2583/attachment.html>
More information about the HTTPS-Everywhere
mailing list