Comments (19)
Hmm, that's an interesting point, which deserve more thinking. I didn't build the infrastructure to support protocol when looking up hostnames from white and blacklist.
Your particular example could be adressed using per-page permission:
- Go to
https://github.com
- Click per-page persmission
- Whitelist
github.com
Result: github.com
is whitelisted only when visiting a page starting exactly with https://github.com
.
Another idea I had a while ago was to enforce the protocol of whatever the protocol of the top-page is (I don't see this requiring scary major change to the core of the code):
If visiting https://github.com
and github.com
is whitelisted, block all requests from the page which are not https
. That would be a switch of course.
What do you think?
from httpswitchboard.
How does one access the 'per-page permission'?
"If visiting https://github.com and github.com is whitelisted, block all requests from the page which are not https. That would be a switch of course."
A switch for this is essentially what I would imagine to be the simplest solution.
from httpswitchboard.
Well, in retrospect that's the default behavior. If a page is HTTPS and a third party is trying to load HTTP content on it, a 'shield' appears in the URL bar.
This case is instead saying "If I whitelist HTTPS://github.com, the rules for https://github.com should not apply to http://github.com" not "If I whitelist HTTPS://github.com, do not allow non HTTPS content to load."
from httpswitchboard.
Ok, in that case this is what the per-page permission currently does. It's the top-left icon in the popup menu.
It allows to create permissions which apply only to pages starting exactly with {protocol}://{hostname}
. So if you are on https://github.com[...]
and create per-page permissions, the permission will apply only to pages which URL starts exactly with https://github.com
. I suppose per-prefix permission would be more accurate.
Permissions specific to a page prefix will never apply globally, and vice versa. When a per-page scope is created/removed, it is automatically persisted, no padlock required.
There is a visual cue when per-page permissions are in use: the top of the popup menu is blue, and so is the icon badge (that's the best I could come up with, I am no designer :-)
from httpswitchboard.
Is there simply a way to make the default behavior site-specific permissions?
from httpswitchboard.
In the current state of the code, that would be problematic, as when a page site-scope is created, it is automatically persisted, so going page site-scope by default would litter the storage I am afraid. But I certainly see you point, the nice thing with page site-scope is to confine whatever rules created for experiment purpose to that sole page site.
I really need to think more about this. At some point I had the idea of also offering the padlock semantic for the page site scope but I chose the simple on/off approach. I struggle a lot with UI considerations often, and here is also the case. In the current case I picture the user being completely confused as to why he needs to lock down the page site-scope. I don't know.. When I am unsure, I use the wait-and-see approach to think more about the issues.
from httpswitchboard.
That's fair. It's not really a big deal.
For something like youtube, I would want it allowed on all pages because of embedded videos. But then for something like Facebook I really only want it to be allowed on https://facebook.com, and that seems to be the case more often than not for me. I use Google Plus for video chat, so I need to allow it, but I again use a per-site permission because I don't want Plus loading on every other site that it tries to load on.
It's not critical. Right now I'm just clicking the button a lot, but that's hardly a big deal.
from httpswitchboard.
Just to be sure we are talking about the same thing.. As it is now, pagesite-scopes are always of the form [scheme]://[hostname]
, meaning the rest (path, query, fragment) is discarded. So if you pagesite-scope https://plus.google.com
, the specific rules will be used for all requests made by a page starting with https://plus.google.com
, you don't need to create a pagesite-scope for all single page on https://plus.google.com
, it automatically applies to all pages on https://plus.google.com
.
from httpswitchboard.
Yep, I'm clear on that.
from httpswitchboard.
I really need this feature to be able to safely browse on insecure WiFi networks.
I want to allow cookies only on HTTPS protocol.
I can't find the feature mentioned in this issue, per-page permission.
This is how my popup looks:
What do I click to get per-page permissions? I tried github.com
in the top left corner, but it did not work. GitHub uses HSTS, but with a website that's accessible on http and https after logging in over https, I was logged in on http as well.
from httpswitchboard.
Per-page doesn't exist, it's per-site or per-domain.
How about HTTPS Everywhere? I tried to support scheme in scopes and this was just a mess, code and UI-wise. I don't plan to go back to that mess.
from httpswitchboard.
Your own comment, @gorhill, mentiones per-page. Perhaps that's gone.
HTTPS everywhere uses a predefined list of websites, which is dumb.
What about a website that's not on the list? I still want to prevent data leakage over http.
What about a website that doesn't have HTTPS? I'd much rather not be able to access logged in area than leak authorization over http. =7
from httpswitchboard.
Per-page was my mistake.
Taking the scheme into account for scoping was a nightmare.
If you had a per-scope switch to enforce https
, would that be useful to you? (When I say "enforce", I mean discard all requests which are not https
, I wouldn't want to redirect blindly -- as it may not work etc).
from httpswitchboard.
Yes, that would solve it indeed.
from httpswitchboard.
HTTPS-Everywhere already supports adding sites that aren't on its list, btw.
from httpswitchboard.
Found this too: http://www.paulspoerry.com/2012/how-to-force-https-chrome/
Apparently you can force a website to always use HTTPS or nothing: chrome://net-internals/#hsts
from httpswitchboard.
I want to allow cookies only on HTTPS protocol.
This can be done within the browsers native controls, rather than an extension. Set it to block all cookies and then add the following rule in the exceptions.
@gorhill I believe that interface is only for testing. It's quite tedious to use and won't persist across closing and opening the browser, (the last time I checked anyway).
from httpswitchboard.
HTTPS-Everywhere already supports adding sites that aren't on its list, btw.
Apparently you can force a website to always use HTTPS or nothing: chrome://net-internals/#hsts
Both useful, but still not secure. They imply a manual check before going to each website. In that case I might as well check for protocol myself.
This can be done within the browsers native controls, rather than an extension. Set it to block all cookies and then add the following rule in the exceptions.
This is a great idea, thank you! This works.
from httpswitchboard.
This can be done within the browsers native controls, rather than an extension. Set it to block all cookies and then add the following rule in the exceptions
Nice elegant solution, and native in the browser. Thanks for the tip.
from httpswitchboard.
Related Issues (20)
- Ads and content loaded from identical sources
- js/assets.js:435 (onRemoteFileError) HOT 12
- Privacy: Add Local storage management HOT 1
- CDN problem and possible Firefox port? HOT 4
- UI improvements? HOT 2
- Scoped Rule Storage HOT 5
- Allow set default rules for each specified domain/site scope HOT 3
- Feature Request: Blocking/Allowing of specific items
- Possible to block X-UIDH? HOT 1
- Adblock+ element hiding filters & Twitter hash tags HOT 1
- Causing crash at Chrome start-up with proxy settings HOT 2
- keybindings? HOT 2
- Sync with Google account
- HTTP switchboard is not showing up in the Google store HOT 3
- Prevent IP leaking HOT 4
- GUI disorganized on this page HOT 2
- Base 1st-party on certificate and/or WHOIS HOT 1
- Firefox port to WebExtension Framework? HOT 2
- Dropdown Selection Panel / GUI now displaying incorrectly
- Global scope problem
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from httpswitchboard.