Opened 10 years ago

Closed 8 years ago

#2166 closed enhancement (wontfix)

Provide checkbox "Break sites to provide more security (where possible)"

Reported by: mikeperry Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should add a flag that specifies that an exemption allows site functionality at the expense of security. The flag could also be present on rules that break functionality in favor of security, and on cookie flagging rules that set the secure bit on cookies that still need to be transmitted over http in some cases.

With this syntax, we can then provide a UI option that says "Break sites to provide more security (where possible)". When checked, it would also disable the code that gives up on https redirects after the redirect limit has been reached.

Child Tickets

Change History (3)

comment:1 Changed 10 years ago by pde

Status: newaccepted

So, big question: should this flag be set for the Facebook ruleset?

And should it be checked by default?

comment:2 Changed 10 years ago by pde

Currently, the instinctive conclusion I have about this is that it's okay to have the Facebook rule on by default, because the breakage is (1) fairly obvious and (2) arguably not a core piece of functionality for many users.

But I reached the opposite conclusion about Amazon, because the breakage there is subtle but widespread. Does it really make sense to have a checkbox that toggles these cases together?

Perhaps a three state toggle:

Break sites to provide more security (where possible):

  1. Always
  2. When it's probably worth it [default]
  3. As rarely as possible

Amazon is 1, Facebook is 2.

comment:3 Changed 8 years ago by pde

Resolution: wontfix
Status: acceptedclosed

I'm declaring this a wontfix. If someone has a plan for how to implement it in a sane way, they can reopen and we can talk :)

Note: See TracTickets for help on using tickets.