[tor-bugs] #9160 [EFF-HTTPS Everywhere]: Rewrite URLs in the document

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 28 10:48:38 UTC 2013 

#9160: Rewrite URLs in the document
----------------------------------+-----------------------------------------
 Reporter:  someone               |          Owner:  pde            
     Type:  enhancement           |         Status:  new            
 Priority:  minor                 |      Milestone:                 
Component:  EFF-HTTPS Everywhere  |        Version:  HTTPS-E 4.0dev8
 Keywords:                        |         Parent:                 
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------

Comment(by someone):

 Replying to [comment:1 pde]:

 > I'd rather apply our rulesets to the statusbar than try to edit the DOM,
 which is a complex and error-inducing process.

 Yes, that has occurred to me, but there are other ways one can find
 himself on an insecure web page. Rewriting the status bar will only
 address nr. 2 of the following list of ways that can happen:

  1. Entering the URL into the address bar
  1. Clicking on an element surrounded in an "a" tag
  1. Rightclicking on a link displayed as ordinary text (ie. not an "a"
 tag)
  1. Submitting a form (URL in the target attribute, see nr. 6.2 for AJAX)
  1. Statically rewritten URL
    1. HTTP redirection status codes
    1. HTTP equivalent meta tag
  1. Dynamically rewritten URL
    1. Automatically-generated event
    1. User-generated event

 Granted, my first proposal is only slightly better in scoope, while
 clumsy. Therefore, allow me to suggest how I think each point could be
 addressed instead, incorporating your suggestion:

  1. Rewrite the URL in the "autocomplete" menu
  1. Rewrite the URL in the statusbar
  1. Rewrite the "select+right-click" menu OR make it show target URL in
 the status bar (see nr. 2)
  1. Enforce showing target URL in the statusbar when hovering over a
 submit button (see nr. 2)
  1. Allow/disallow dialog, if leaving for an insecure location
  1. (see nr. 5)

 The solution to the last two is what should be opt-in (at least until most
 sites on the web start using HTTPS), but others should be on by default, I
 think.
 This suggestion is substantially different from the original ticket so, If
 you want, I can post this to a new ticket so you can tag this one invalid.
 Let me know what you think.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9160#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list