<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You can easily reproduce the problem on any page by simply altering
a forms action attribute to use the HTTP scheme with the developer
console (in Firefox and Chrome). I couldn't find a public available
website with the explained issue that also has a ruleset defined. I
created the following test page, although it doesn't match any HTTPS
Everywhere ruleset it might still be useful.<br>
<br>
<a class="moz-txt-link-freetext" href="https://movlib.org/https-to-http-warning.html">https://movlib.org/https-to-http-warning.html</a><br>
<br>
The problem only targets forms. My proposition was to search only
for action attributes. Something along the lines:<br>
<br>
for (var i = 0; i < document.forms.length; i++) {<br>
document.forms[i].action =
document.forms[i].action.replace(<a class="moz-txt-link-rfc2396E" href="http://">"http://"</a> +
httpsEverywhere.currentDomain, "//" +
httpsEverywhere.currentDomain);<br>
}<br>
<br>
An alternate approach could be to simply intercept form submissions
and check the target URL for above condition and rewrite it before
the actual submission occurs. This would help with injected forms.<br>
<br>
Richard<br>
<br>
<div class="moz-cite-prefix">On 8/20/2014 8:30 PM, Jacob S
Hoffman-Andrews wrote:<br>
</div>
<blockquote cite="mid:53F4E945.2050406@eff.org" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
I wasn't able to reproduce this prompt on Tumblr, in a fresh
FF31.0 profile with only HTTPS Everywhere installed. Is there
another site that reproduces reliably?<br>
<br>
I would be mildly in favor of search the page after load for form
elements where action points to an insecure URL that we can
rewrite. I'm more on the fence about rewriting the whole page. It
might enabled us to re-enable some rulesets that were disabled for
MCB, but it would work pretty inconsistently because of JavaScript
insertions and runs the risk of moving HTTPS Everywhere from
"slow" to "really slow."<br>
<br>
<div class="moz-cite-prefix">On 08/20/2014 02:27 PM, Nick
Semenkovich wrote:<br>
</div>
<blockquote
cite="mid:CAJKgmrWdi9_LeCbK0WtuuU7FVvQ-=KBmQg48RXP3+mVpeCB3Aw@mail.gmail.com"
type="cite">
<div dir="ltr">Chrome now warns about this too, per:
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://code.google.com/p/chromium/issues/detail?id=253249">https://code.google.com/p/chromium/issues/detail?id=253249</a></div>
<div class="gmail_extra"> <br>
</div>
<div class="gmail_extra">Looks like it's on the beta channel
(M37) which will probably hit stable in ~one month.<br>
<br>
<div class="gmail_quote">On Wed, Aug 20, 2014 at 1:10 PM,
Richard Fussenegger, BSc <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:richard@fussenegger.info" target="_blank">richard@fussenegger.info</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">This
topic was already raised once in the past (see <a
moz-do-not-send="true"
href="https://lists.eff.org/pipermail/https-everywhere/2011-June/000914.html"
target="_blank">https://lists.eff.org/pipermail/https-everywhere/2011-June/000914.html</a>)
but I'd like to discuss it again because it's pretty
annoying and might even be disturbing to new users of
the extension.<br>
<br>
I found that the main problem are websites that have the
scheme hard coded on form action attributes. I therefore
propose that the extension could parse the page and
rewrite any URL pointing to the current domain that has
the http scheme set instead of the secure one. I'm also
willing to produce this feature but I don't know if this
is even possible with an extension like
HTTPS-Everywhere. You might be able to answer this or
maybe you have some arguments why this would be a bad
idea.<br>
<br>
Richard<br>
_______________________________________________<br>
HTTPS-Everywhere mailing list<br>
<a moz-do-not-send="true"
href="mailto:HTTPS-Everywhere@lists.eff.org"
target="_blank">HTTPS-Everywhere@lists.eff.org</a><br>
<a moz-do-not-send="true"
href="https://lists.eff.org/mailman/listinfo/https-everywhere"
target="_blank">https://lists.eff.org/mailman/listinfo/https-everywhere</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Nick Semenkovich<br>
Laboratory of Dr. Jeffrey I. Gordon<br>
Medical Scientist Training Program<br>
School of Medicine<br>
Washington University in St. Louis<br>
<a moz-do-not-send="true"
href="https://nick.semenkovich.com/" target="_blank">https://nick.semenkovich.com/</a>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
HTTPS-Everywhere mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.eff.org/mailman/listinfo/https-everywhere">https://lists.eff.org/mailman/listinfo/https-everywhere</a></pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>