Conversation
Also reformats a large chunk of the global toggle code because otherwise my text editor couldn't detect whether braces were properly matched (???)
…led" This reverts commit bda2202.
|
Just realized this causes side effects in Tor browser, since TorButton also interferes with FF proxy settings. Namely, since we've changed the FF proxy settings, the TorButton icon will show up with a red X when HTTP Nowhere is on. However, going to "check.torproject.org" still indicates that HTTPS requests are going over Tor when HTTP Nowhere is enabled. |
|
Cool concept! I'll implement a similar toggle in Chrome. |
|
@semenko cool, I was hoping you would so I don't ever have to learn chrome extension development. :) FWIW, there is a Chrome flag that sets HTTP proxies - not sure if it's modifiable from extension land. |
|
This is ~one line with a blocking webRequest :) |
|
That one line is not 80 characters or less! :P BTW is there OCSP enforcement mode in Chrome? This suggests yes: https://superuser.com/questions/261746/security-ocsp-require-in-google-chrome/264035#264035 |
|
Yep. Not sure its API accessible. Of course, revocation checking is a security placebo (and privacy nightmare!). IIRC, Chrome is removing that option in the future, relying instead on CRLSets and the new OCSP stapling required flag. |
Conflicts: src/components/https-everywhere.js
|
Rewrote blocking to happen in http-on-modify-request because I couldn't override Firefox's existing protocol handlers without causing the browser to immediately crash with a SIGSEGV error. |
There was a problem hiding this comment.
I think we can take out this OCSP-related portion of the patch; HTTPSEverywhere.shouldIgnoreURI() should now be ensuring that OCSP requests are left alone before we call HTTPS.replaceChannel()
There was a problem hiding this comment.
Confusingly, shouldIgnoreURI is itself ignored if HTTPSNowhere is enabled. So this is still needed.
The rationale is that if a user wants HTTP Nowhere, we shouldn't let HTTP requests through even if they're OCSP.
|
Aside from the bug and enhancement flagged above, this looks good to merge if it has been tested a bit. |
Add toggle mode for HTTP Nowhere
|
Yay! Great to see this work happening in HTTPS Everywhere. Ping me when ready and I'll be sure to update the description of the http-nowhere FF extension. |
|
@cwilper Thanks for the inspiration. Pull requests here are welcome too. :) |
|
This sounds interesting! How do I enable it (using 5.0dev.0 on Firefox)? Does it offer a whitelist / temporary whitelist option? |
Many people, including the celebrated Jimmy Wales, have asked us to include an "HTTP Nowhere" mode in HTTPS Everywhere. Inspired by Chris Wilper's HTTP Nowhere add-on v1.0 (https://addons.mozilla.org/en-us/firefox/addon/http-nowhere/, licenced GPLv3), I added this feature.
Currently it does this by changing Firefox's default HTTP proxy (accessible in about:preferences) to a null proxy (
localhost:4) while enabled.TODOs:
UPDATE: Am leaning toward rewriting this as an HTTP/FTP/etc. protocol handler after realizing that messing with proxy settings causes the TorButton UI to look very alarming if you're using Tor Browser.