HTTPS Everywhere extension for Microsoft Edge

[martinsuchan]

Microsoft released in July 2016 Windows 10 Anniversary Update which comes with a new version of Microsoft Edge browser that supports Extensions. These extensions use similar structure and API as Chrome extensions - porting the existing HTTPS Everywhere extension should be then really easy.

Documentation for developing Edge extensions is available here:
https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/extensions/

[TheRyuu]

Just to update the AU is now out for Windows 10 and so is the documentation for developing extensions[1]. Hopefully minimal modifications are required since it is just the WebRequest API with some minor technical differences to Chrome's.

Just for reference uBlock Origin requires minimal changes to get it working[2].

[1] https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/extensions/ [2] https://github.com/gorhill/uBlock/pull/1486#issuecomment-234380212

[jeremyn]

The current HTTPS-Everywhere development and build process is *nix-centric. I was recently told here that people using Windows 10 who want to contribute to HTTPS-Everywhere need to use some sort of Linux VM. However the equivalent of ChromeDriver for Edge, WebDriver, which allows for command-line browser testing, must be installed on Windows 10. So it seems to me that the build process needs to be made to work on Windows 10, or at least a parallel build process just for Edge needs to be created, before an Edge extension could be created.

[Artoria2e5]

MS Edge uses the common WebExtensions API, which is used by Opera as well. For me it's fine to have the tests come later than the proof of concept alphas.

P.S. WebDriver is also a common W3C API.

Regarding the conversion tool, It looks generally like a lint tool that also adds a bridge for the chrome object. Attached is a sample of its bridge scripts, generated for Stylish 1.3.1-1. (Warning: heavy use of ES6.) bridge.zip

[dxgldotorg]

Probably want to boycott the Windows DRM store: https://arstechnica.com/gaming/2017/04/microsoft-formally-bans-emulators-on-xbox-windows-10-download-shops/ Or perhaps publish it as a sideloaded extension? https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides/adding-and-removing-extensions

[martinsuchan]

Note that Windows 10 Creators Update was just released and it contains even wider API set for Edge Extensions:
https://docs.microsoft.com/en-us/microsoft-edge/extensions/api-support/extension-api-roadmap

[elyscape]

@WilliamFeely I don't see how that's relevant to the purpose of this extension.

[dxgldotorg]

If HTTPS Everywhere were to divest itself of EFF, it would be a non-issue, but the latter gives instructions on how to install extensions outside of the Store.

[jeremyn]

Let's not turn this into a discussion about boycotting Windows or Edge. HTTPS Everywhere means providing HTTPS rewrite protection wherever possible, including on Edge.

I believe @Hainish has the WebExtension rewrite on his to-do list. If anyone wants to help make HTTPS Everywhere available on Edge, that effort is welcome, and they should coordinate their work with him.

[xt0rted]

I was trying to get Stylus working in Edge and ran into a number of issues where html5 templates & the extensions api aren't feature complete compared to Chrome, even in v15 which was released this/next week.

I'm not sure if templates are used anywhere but the DocumentFragment api is only partially implemented so properties like .firstElementChild don't work.

The extensions api I had issues with was

chrome.tabs.query({ currentWindow: true }, function(tabs) { ... });

When the currentWindow option is set to true, even with other options, the result is always undefined. Setting it to false returns a result, but that's not how either plugin is using it so it's a blocking issue. I reached out to the Edge team about this and they passed the question on to a team member to look into and confirm if it's a bug, but I haven't heard anything on it yet.

[robinhood2014]

Well, this is not good. I replaced every instance of "chrome.xxx" (where "xxx" represents functions of Google Chrome) with "myBrowser.xxx", and even removed all comments from all JavaScript files referenced in manifest.json, and the Edge Extension Toolkit is still reporting manifest.json as malformed. HTTPS Everywhere Prototype.zip

[Artoria2e5]

The toolkit does some heavy linting on the manifest. Have you checked for errors around things like the icon stuffs?

[robinhood2014]

According to the toolkit, only the manifest file has errors.

[Artoria2e5]

I fed the 2017.4.5 directory to the toolkit. This time it spits out the error as:

manifest.json  .author : invalid type: object (expected string)

The current value provided is in fact a violation of WebExtentions Spec, as per https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/author. Fixing that gives a "ready to go" message for the extension.

[gloriousjob]

Hi all,

I created this zip and it seems to work on my machine. Just extract it and sideload the extension. https_everywhere_edge.zip

The process I followed was fairly simple (though it took a few tries to figure out and get working):

1. Extracted the chrome extension.
2. Opened manifest.json and made the following changes: a. changed author to "author": "eff.software.projects@gmail.com" since braces are non-standard (https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/author) b. Added the following subproperty to "background": ,"persistent": true c. Added the following property: "locale": "en" d. Added the following property: "minimum_edge_version": "33.14281.1000.0"
3. Opened all js files with chrome references and placed this code at the top: if (typeof msBrowser !== 'undefined') { chrome = msBrowser; } else if (typeof browser !== 'undefined') { chrome = browser; }

[elyscape]

@gloriousjob Why are you using !== for checking typeof msBrowser but != for typeof browser?

[saschanaz]

@gloriousjob Why msBrowser? I think Edge uses browser.

[gloriousjob]

@elyscape Good call! I copied that code from elsewhere which said that is what MS was doing. It makes sense to do an actual equals there. I've updated my previous comment and uploaded a new zip.

@SaschaNaz I've read that Edge was using msBrowser and browser is where the browsers are trying to standardize to. It's safer to have both just in case. If msBrowser is wrong, the if statement will skip it anyway.

[gmng]

I tried gloriousjob's zip and loaded the folder in EDGE but it does not redirect the link what I tried to HTTPS. It was an http link in a gmail mail but it does not redircted it to the https proto. (the page has https access too, I tried it manually in the address bar)

[elyscape]

@gmng Does HTTPS Everywhere redirect the site in question when using Chrome?

[gmng]

@elyscape No, it doesn't. I use this extension in FF with no problem, and now I installed it in chrome to test, but no, it does not redirect the page. It's a parcel tracking page (GLS) and has both http and https access. Same behaviour like in EDGE, when I insert the link in plain HTTP it doesn't redirect to https. When I change the proto manually to httpS in the address bar, I can access the page over SSL.

[gloriousjob]

@elyscape thanks for asking the question @gmng so the edge extension I made is just a port of the chrome extension. This is really an issue with the chrome extension. Maybe you should write up a separate issue?

On April 22, 2017 3:53:12 AM gmng notifications@github.com wrote:

@elyscape No, it doesn't. I use this extension in FF with no problem, and now I installed it in chrome to test, but no, it does not redirect the page. It's a parcel tracking page (GLS) and has both http and https access. Same behaviour like in EDGE, when I insert the link in plain HTTP it doesn't redirect to https. When I change the proto manually to httpS in the address bar, I can access the page over SSL.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/EFForg/https-everywhere/issues/5101#issuecomment-296355898

[jeremyn]

If anyone wants to let people know about a site that needs an HTTPS Everywhere redirect, you can just note it in issue https://github.com/EFForg/https-everywhere/issues/3069.

[nicole-ashley]

@gloriousjob msBrowser is not used by Edge, it can be removed entirely.

What are the next steps now for Edge support?

[martinsuchan]

So what's the status of the extension for Edge, any blockers I can help with or ETA when it could be ready?

[craige1]

With the converter and the steps gloriousjob did, it seems extremely easy to make this. Can i push for this to be put into the store officially?

[jeremyn]

@Hainish has authority here and I don't want to step on his toes, but, just to set expectations, right now I believe the big technical focus is on converting the XUL/XPCOM version of the Firefox extension to use WebExtensions in time for the Firefox 57 release where XUL/XPCOM extensions won't work anymore. See here for related tagged issues. Once the Firefox migration is public and settled then @Hainish / the EFF might decide to work on the Edge version. Firefox 57 is due out in November 2017 so Edge might not have priority until then at least.

[Hainish]

Thanks @jeremyn. In addition, our legal department needs to look at whether we are able to comply with the MS developer license agreement.

[dxgldotorg]

@Hainish Could the issue with the developer agreement be resolved by making the HTTPS lists an external download, so as there are no hard-coded references to domains whose content may violate the Agreement or may even contain legal violations?

[craige1]

Thanks for getting back to me. Its actually great news that this is being looked into. I understand that the dev work priority will lie with the current plugins, I just wanted to check in to see that an edge plugin wasn't being ignored, or forgotten. Here's to hoping the legal issues aren't an issue (how are the play store and apple store dealt with?).

[martinsuchan]

Once there is working beta of the extension I'd suggest creating Windows Store account and submitting the extension for test using this form:
https://developer.microsoft.com/en-us/microsoft-edge/extensions/requests/ Microsoft will then contact you with details and necessary info to get the extension into Store.

And since there is Windows 10 Fall Creators Update planned for September/October this year, it would be nice to have HTTPS Everywhere as a highlighted Edge extension when this Windows update is released.

[uncnqrd]

Is the main issue blocking a version for Edge the MS developers license agreement? Or is there a technical issue, such as specific API support missing?

[dxgldotorg]

I do not believe there is any license issue preventing creating an addon, just in submitting it to the Store, which does have various rules on what kind of software is and is not allowed.

[nicole-ashley]

Knowing their rules I don't believe this would be blocked, in fact it would be welcomed. You just need to apply for permission to launch Edge extensions at the moment

I publish uBlock for Edge and have an existing relationship with the team. I'd be happy to do it for this, though it would be under my personal name if that was the case, and I would need to upload all the releases. If it was to be done under the Foundation's name then someone would need to apply for a Company account and go through Verisign verification.

[jeremyn]

I assume the blocking problem here is that the one person who could make this happen officially -- @Hainish -- isn't interested, or at least has made an Edge extension low priority vs everything else.

I suggest anyone who wants this done on any definite schedule either become big enough for the EFF to listen, or fork/repackage the code.

Regarding a fork, take a look at issue https://github.com/EFForg/https-everywhere/issues/12606 "Discussion about out-of-band ruleset updates". The EFF wants to move to a model where the extension regularly fetches EFF-signed updates from the internet outside the browser update process. I encourage anyone who is considering a project fork, even for their own personal use, to participate in that discussion.

[ghost]

@jeremyn Great, now we are discussing fragmenting the user base with forks.

[ghost]

Let's develop Edge version as a part of this project, not as a third-party fork.

[jeremyn]

@koops76 A fork isn't great but the reality is that the EFF doesn't do well with big community efforts like this. I wrote about this a little in https://github.com/EFForg/https-everywhere/issues/9111#issuecomment-320453076. So we're in a position here where the EFF is, I think, unlikely to say either yes, they'll do it, or no, they officially disapprove. Instead it'll just float around forever unless someone else takes ownership of it.

The good news is that the EFF makes some effort to make HTTPS Everywhere friendly to downstream, for example see https://github.com/EFForg/https-everywhere/issues/6937 "Cultivate a list of HTTPS Everywhere downstream ruleset dependencies". So perhaps we should think of what @nikrolls is proposing as a downstream packaging of HTTPS Everywhere for Edge, rather than a (hostile) fork.

In any case, @nikrolls seems perfectly placed to do this since he is doing the same thing for uBlock Origin. If he wants to take on this work then I personally am all for it.

[ghost]

@jeremyn A fork means security patches will take more time to reach the users and also means that developers' efforts will be less focused.

[ghost]

@jeremyn A one-man repackaging of the extension would have trust issues. One person is easier to force to make unwanted modifications to the extension than a large organization such as EFF.

[ghost]

This extension is recommended for use by activists, and while I am not an activist, I don't want my machine to be compromised as a part of a campaign targeting activists.

[isshininu]

Any news about Edge version of extension? Firefox 57 is already out.

[martinsuchan]

Hi, any update regarding this extension? As I noted earlier, I have already published several Windows Store apps. Publishing Edge extensions to Store is a similar process, so if you need any help when creating Dev account or packaging the extensions, just let me know here or on Twitter, I'm ready to help.

[Hainish]

Last time I checked, several of the WebExtension APIs we use hadn't been implemented in Edge. I'd have to do some poking around to see if this is still the case. This may take some significant time to rewrite the codebase to work around this shortcoming. Currently, our development roadmap is detailed here: https://lists.eff.org/pipermail/https-everywhere/2018-January/002760.html.

[martinsuchan]

@Hainish What kind of API is missing in Edge, that is required for the HTTPS Everywhere extensions? Current list of supported APIs and roadmap is available here: https://docs.microsoft.com/en-us/microsoft-edge/extensions/api-support/extension-api-roadmap

[jppmarujo]

It would be amazing to see this coming to life. This is a core extension for every major browser, and Edge lacking it is a shortcome that i think the browser does not deserve, if we look at its current state. It's stable, fast and has many great features - minus this potentially great one.

I don't know if this is still low-priority or not, but i think both Edge and HTTPS Everywhere userbase would grow if both complemented each other.

Nevertheless, great job, devs.

[andresbase]

Hi everyone, Thanks for keeping this discussion going with all the helpful comments and feedback. As an update on EFF's ability to ship on the Microsoft Store the last legal review was that we couldn't due to provisions that we could not comply with. Although it's an old post about Apple, it touches on similar issues https://www.eff.org/deeplinks/2014/12/sorry-iphone-users-apples-dev-agreement-means-no-eff-mobile-app-iphone.

I have requested a legal review of the latest developer agreements and looking forward to share the result end of April.

Thanks!

[martinsuchan]

@andresbase Hi, can you go please into details what are the points in Microsoft Store App Developer Agreement or Microsoft Store Policies that prohibits publishing the HTTPS Everywhere addon?

I've read the article you mentioned and it targets publishing EFF Alerts app on App Store. That's a quite different app and Store. It's known that Apple App Store had the most strict rules about published apps. There should be fewer showstoppers when publishing on Microsoft Store from my experience.

[jeremyn]

uBlock Origin is available for Microsoft Edge and is licensed under GPLv3. It's published by @nikrolls who commented earlier on this issue. Edge extensions have to be submitted for review by Microsoft so I assume Microsoft is okay with it.

HTTPS Everywhere is licensed under GPLv2 or later. If someone wanted to fork it, they could do so, immediately relicense it as GPLv3, and be in the same legal situation as uBlock Origin is.

I'm not sure what an EFF legal review is needed for. Maybe the EFF, as an organization, finds something about the Microsoft agreements or ecosystem distasteful, and doesn't want to publish something with Microsoft under its own name. I can understand that. However, as far as I understand it, the EFF can't legally block others from doing that, under the terms of the GPL.

So, I hope that @andresbase 's answer was not an attempt to say that a fork requires the EFF's approval, since imposing such a requirement is not allowed by the GPL, again, as far as I understand it.

[jeremyn]

the EFF can't legally block others from doing that

By "that", I mean forking HTTPS Everywhere and publishing it under their own name, not the EFF's name. Of course the EFF can block people from publishing software under the EFF's name.

[StephenVictor]

There does seem to be a lot of foot-dragging on this. I know some developers have an anti-Microsoft bias for various reasons. I do hope that's not causing this vital security issue to be neglected.