Opened 6 years ago

Last modified 2 years ago

#9160 new enhancement

Rewrite URLs in the document

Reported by: someone Owned by: pde
Priority: Low Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 4.0dev8
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Add a feature to search for, and rewrite unsafe URLs that have a secure counterpart *in the document itself*.
This would be done either:

  • via extension options
  • as an extension to the extension
  • via a key combination to activate on demand

As of yet, there is no way to see if a URL will be rewritten before visiting/downloading the resource it points to.
Adding such a feature would greatly improve users' security.

Child Tickets

Change History (3)

comment:1 Changed 6 years ago by pde

Priority: normalminor

Is your concern specifically that you can't roll over a link and see the rewritten address in the status bar?

I'd rather apply our rulesets to the statusbar than try to edit the DOM, which is a complex and error-inducing process.

comment:2 in reply to:  1 Changed 6 years ago by someone

Replying to pde:

I'd rather apply our rulesets to the statusbar than try to edit the DOM, which is a complex and error-inducing process.

Yes, that has occurred to me, but there are other ways one can find himself on an insecure web page. Rewriting the status bar will only address nr. 2 of the following list of ways that can happen:

  1. Entering the URL into the address bar
  2. Clicking on an element surrounded in an "a" tag
  3. Rightclicking on a link displayed as ordinary text (ie. not an "a" tag)
  4. Submitting a form (URL in the target attribute, see nr. 6.2 for AJAX)
  5. Statically rewritten URL
    1. HTTP redirection status codes
    2. HTTP equivalent meta tag
  6. Dynamically rewritten URL
    1. Automatically-generated event
    2. User-generated event

Granted, my first proposal is only slightly better in scoope, while clumsy. Therefore, allow me to suggest how I think each point could be addressed instead, incorporating your suggestion:

  1. Rewrite the URL in the "autocomplete" menu
  2. Rewrite the URL in the statusbar
  3. Rewrite the "select+right-click" menu OR make it show target URL in the status bar (see nr. 2)
  4. Enforce showing target URL in the statusbar when hovering over a submit button (see nr. 2)
  5. Allow/disallow dialog, if leaving for an insecure location
  6. (see nr. 5)

The solution to the last two is what should be opt-in (at least until most sites on the web start using HTTPS), but others should be on by default, I think.
This suggestion is substantially different from the original ticket so, If you want, I can post this to a new ticket so you can tag this one invalid.
Let me know what you think.

comment:3 Changed 2 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.