Fix HTTPS Everywhere

[core-ai-bot]

Issue by MarcelGerber Thursday Mar 05, 2015 at 20:35 GMT Originally opened as https://github.com/adobe/brackets.io/pull/143

---

... by directly requesting https version of update info For #138

---

MarcelGerber included the following code: https://github.com/adobe/brackets.io/pull/143/commits

[core-ai-bot]

Comment by peterflynn Thursday Mar 05, 2015 at 20:49 GMT

---

I guess the question is, do we want to modify our page just to work around a (hopefully temporary) bug in a browser extension? How widely used is this extension? (I hadn't heard of it before the bug was reported)

Also, would we need to make any other changes for this to fully work? The extension bug indicates that it also frequently breaks analytics (which is important for download counts) and webfonts (which we might also be loading from a different domain?).

[core-ai-bot]

Comment by peterflynn Thursday Mar 05, 2015 at 20:51 GMT

---

I wonder if an alternative fix would be to just make sure our links don't totally fail when the JSON update feed is unavailable. That also wouldn't fix any other parts of the page broken by HTTPS Everywhere, but OTOH it would benefit other cases rather than being a workaround specific to this one extension.

[core-ai-bot]

Comment by MarcelGerber Thursday Mar 05, 2015 at 21:16 GMT

---

We already default the big hero download button to the GitHub releases page, and yes, it won't hurt to do the same for the "Download Brackets without Extract" button, too.

I had heard of HTTPS Everywhere before, but never used it myself. I guess this fix won't hurt, and we don't need to do anything else to make it work.

I don't know about analytics right now, but yeah, that's possible. I quickly looked at the list of hosts the addon forces HTTPS for on our page, and it showed Google Analytics and Amazon S3 Web Services (which causes this issue). So, it definitely doesn't impact webfont loading, at least.

[core-ai-bot]

Comment by anewuser Friday Mar 06, 2015 at 03:17 GMT

---

@peterflynn There's no info on the number of users on Firefox because they don't offer it through the Mozilla website (here's the official explanation) , but HTTPS Everywhere is very popular among privacy-minded people. According to their official repositories, the Chrome version has 794,630 users, and the Opera version has 190,075 users.

[core-ai-bot]

Comment by MarcelGerber Friday Mar 06, 2015 at 20:12 GMT

---

@peterflynn I've attached a patch to default the download button(s) to the GitHub releases page. I've left the other fix in - in case you don't wanna take it, tell me and I'll remove it.

I've changed the default URL of the big hero download button to https://github.com/adobe/brackets/releases as well, as we can't decide whether releases/latest is the Extract build or not.

[core-ai-bot]

Comment by jsha Sunday Mar 08, 2015 at 20:40 GMT

---

Hi @peterflynn! I'm the current maintainer for HTTPS Everywhere. Apologies for the CORS bug (https://github.com/EFForg/https-everywhere/issues/49) causing issues on your site. I'm definitely planning to fix it, but our developer time at EFF is extremely limited, the bug is a bit complex and not yet fully understood, and it may be a little while before I can roll out a fix. However, I will treat this issue as bumping up the priority.

I'd recommend updating these URLs to the secure version anyhow, because it's one more step on the road to making your site use HTTPS by default for all pages, which we at EFF strongly believe is the direction the web is moving. Chrome has even started planning for the day when they can indicate HTTP URLs with the same insecure marker they use for HTTPS sites with a bad certificate.

Thanks, Jacob

[core-ai-bot]

Comment by ficristo Friday Sep 23, 2016 at 18:12 GMT

---

I don't know about the analytics side but I would not rely on relative URLs. I would prefer to be always explicit on using https.