[HTTPS-Everywhere] persistent user-generated rules
Jacob Hoffman-Andrews
jsha at newview.org
Sun Jan 12 20:28:11 PST 2014
> 2. better way to upload rules
> I agree with Claudio that email is probably not a great way to do this.
Email's not great, but it's a quick-and-dirty way to get it out there,
until someone has time to implement a server-side solution.
> 3. Decoupling rules:
I think we shouldn't decouple the rules. This might allow faster release
cycles for rule lists, but my understanding is that each release
requires a fair bit of public QA to ferret out broken rules, so speeding
things up would be hard. And my understanding is that at least Firefox
and maybe Chrome support the notion of beta channels for extensions,
which solves that use case.
I don't see a need for different organizations to maintain separate rule
lists.
Also, the signature checking would introduce a new attack surface, and
would probably have to be implemented in JS, which is always risky for
crypto code.
> 4. Code review comments regarding injecting STS.
I think we shouldn't try to inject STS headers. It doesn't solve a
problem, as far as I can tell.
More information about the HTTPS-Everywhere
mailing list