Closed ghost closed 5 years ago
Thanks for letting me know.
I will be adding a whitelist feature to give users more control in scenarios like this one. Not sure when, but hopefully soon.
I just added a basic whitelisting feature in 0.6.0b2
. Note that it is available only through the newly added url bar icon. I tried to keep things simple because I think such a feature would only be necessary in very special cases.
@claustromaniac , I've been notified by GitHub of the availability of HTTPZ 0.6.0b2, installed it immediately.
Unfortunately, no toolbar button and moreover... http to https didn't work on a site I used previously with 0.6.0b1, http://www.acidtests.org/ ... (https-ready) something's going wrong.
no toolbar button
The extension still doesn't have a toolbar icon. 0.6.0b2
is meant to show an url bar icon (a page action) when HTTPZ redirects a site to HTTPS (or when it doesn't because of the whitelist).
I can't reproduce your issue with http://www.acidtests.org/.
OK for the urlbar icon, I hadn't understood that. Nevertheless it didn't show up here despite several opportunities.
I can't reproduce your issue with http://www.acidtests.org/.
I tested several other https-ready sites which weren't directed to https when called via http:
http://businessinsiderusa.com/ http://www.softwareok.com/ http://wordsmith.org/
But I think I face a true issue here because[profile]\browser-extension-data\httpz@cm.org\storage.js
remains empty so to say (33bytes, {"ignorePeriod":7,"whitelist":{}}
after exiting Firefox and having tested several sites (both https-ready via http and http-only sites).
I'm searching for obstructions ...
By the way: HTTPS 0.6.0b2 / Firefox 64.0.2 (x64) / Windows 7 (x64)
I managed to track down the issue. 0.6.0b3
should work. Sorry about the inconvenience.
I just installed HTTPZ 0.6.0b3, tested, and all is just perfect up to now.
@claustromaniac : the eagle has landed!
Nice work as usual and bravo for your commitment. As I see it now HTTPZ is the best in its category, and I've tried them all. After having proceeded to the thorough testing as usual I encounter no issue at this time.
That's great. I'll do the actual release shortly. Thank you for your help :smile_cat:
Hi @claustromaniac , I tried httpz-0.6.0b-an+fx.xpi (downloaded from GitHub, not yet available at AOM) and the extension is brilliant, combines all we've been talking about at #2
Your Readme.md explains perfectly well what HTTPZ performs as well the known issues.
There is unfortunately another issue, not related to your code but to to the very http-to-https, this time when https is indeed available (the easiest scenario).
I'm referring to a page which calls 3rd-party servers via http when these 3rd-party servers will include mixed-content.
If HTTPZ successfully starts the http site via https and if Mixed Content is called via http, then, if the Mixed Content is passive (content such as images) then the user's
security.mixed_content.block_display_content
will have to be set to false (default=false) but if the Mixed Content is active (content such as scripts) then the user'ssecurity.mixed_content.block_active_content
will have to be set to true (default=false)An example:http://www.internetlivestats.com/
If that site is called via https (and it does accept https) then, in order to view the page displayed correctly, I need to set
security.mixed_content.block_active_content
to false which is unsecure.In other words, there are sites which still need to be accessed via http even though they are accessible via https. This means that HTTPZ would require a whitelist for sites always accessed via http even when https is available. Getting complex.
Sorry for having been lengthy, but what i'm afraid of is that the very concept of try https - keep if ok - revert to http otherwise appears to be far more problematic than one could believe initially