colorpalettes.net : the site is completely different when upgraded to https

[geekley]

Type: ruleset/website issue Domain: colorpalettes.net

When visiting the home page of http://colorpalettes.net, HTTPSE upgrades it to https://colorpalettes.net. The problem is that they made the https version available, but it's a completely different page (this is so wrong!). And you can see its a "default" page that they just didn't configure properly.

I believe HTTPSE should add a rule for not auto-upgrading this site to HTTPS, so if someone types colorpalettes.net it goes to the HTTP version. Of course, in this case, the extension should still display the warning before entering the HTTP version if the user has "block all unencrypted requests" enabled.

Or something like this. To be honest, I don't even know what should be the expected behavior of HTTPSE in this case (because what if they fix it later and make a proper https???). Then again, the way it is currently, you don't even get to see that there is a different HTTP version so you can disable it for the site... even if you explicitly type it with http:// before.

This seems like a complicated case...

[pipboy96]

Currently, there is no ruleset for this domain. Do you have EASE (Encrypt All Sites Eligible) enabled?

[geekley]

Sorry, I don't know what this is (it's in portuguese). I have enabled the option that would be "block all unencrypted requests", which forces encrypted requests, and prevents me from acessing a site in HTTP by mistake. The one that displays a warning if I try to go a site that can't be upgraded to HTTPS. Is that it?

I don't have enabled what would be about "mixed content ruleset".

[geekley]

My browser is Opera, by the way.

[pipboy96]

You just need to add an exception to this website.

[geekley]

Yeah, I did that. If I disable for this site, it works for me.

My worry is, what do you guys do for cases like this? I understand that it's the site's fault, and you can't cover every case of misconfigured site.

Is this common? Because if it is, its possible that, by using the extension, I end up coming across other sistes that get redirected to a completely different HTTPS version... without even realizing that there is a HTTP version that's different.

[pipboy96]

Sadly, we don't have any way to disable redirecting any website for all users. It would be a serious security issue if we were able to.

[geekley]

Yea, I understand. Is there, at least, a way to know when the page has been redirected to HTTPS by the extension versus naturally by the server?

[pipboy96]

You may use Network tab of DevTools.

[geekley]

Hmm maybe it would be good if the extension button "counted one" for the page upgrade, in addition to the amount of resources it upgraded within the page. Just an idea. But anyways, I guess you can close this issue then. Thanks for the help! :)

[pipboy96]

@geekley I can't. I'm not an employee of EFF.

[geekley]

Oh really? Well I can't close it myself either, it seems... thats weird... I mean, github is weird... thay make open issues (that need attention) green and closed issues (the ones you solved) red...

[pipboy96]

@zoracon Close please.

[RemakingEden]

Hmm maybe it would be good if the extension button "counted one" for the page upgrade, in addition to the amount of resources it upgraded within the page. Just an idea. But anyways, I guess you can close this issue then. Thanks for the help! :)

@geekley This is a interesting find! It does seem to be set up very unusually. Ive just checked on my browser and if I have encrypt all sites and it redirects I get a 1 below the extension. See below. Is it not the same for you?

[geekley]

In this case it is the same, it shows 1 for me too, but I think that's not because of the redirect itself, it's probably something within the page that was upgraded. If I visit it by explicitly typing https, it also shows the same 1. If I visit http://example.com, for... example... then it redirects to https but it doesn't show 1 because the page doesn't contain any http resource that the extension upgraded.

[geekley]

I'm assuming the purpose of the number is so that you know when the extension is doing something on the page (so that, in cases like this, where it breaks the page, at least you know it). Otherwise... what would be its purpose?

If that's the case, I think it should count everything the extension might be changing on the page, including:

• +1 if the page itself was redirected to https because of the extension
• +1 for each http resource within the page that was successfully upgraded to https
• +1 for each http resource that was blocked because it couldn't be upgraded (when you force encrypted)

Well... if we are going to discuss this, should I turn it into a separate feature request?

[geekley]

Oh, I think I interpreted the meaning of the number incorrectly... I thought it was the total resources the extension upgraded (which makes more sense for me, since that's what adblockers show), but it seems to be the number of custom rules enabled for the site.

[pipboy96]

@geekley Sadly, currently the counter is completely uninformative. We should either make it reflect the number of upgraded requests or deprecate it entirely.

[zoracon]

Noting the counter feedback for #16669 and closing out. The reason @geekley is not seeing EASE, is because Opera's release had some issues. I am reaching out to them to iron out release issues.

Closing out.