Closed eduardoeae closed 10 years ago
Woa that's bad, definitely not supposed to happen. Investigating.
Ok, I didn't see this behavior. HTTPSB uses Mozilla's Public Suffix List ("PSL"), so that definitely should not happen. I need more details, and steps to reproduce. If you meant that literally with foobar.com.uk
, HTTPSB whitelists com.uk
, well that would be the expected behavior, because com.uk
is not a suffix as per PSL, co.uk
is.
Here, I am transcribing the public suffix for uk
:
uk
ac.uk
co.uk
gov.uk
ltd.uk
me.uk
net.uk
nhs.uk
org.uk
plc.uk
police.uk
*.sch.uk
com.uk
is not there, and the only match is uk
, thus com.uk
is a valid domain.
Also this option is not exactly "Less security"
Forgot to comment on this one. HTTPSB's natural state is block-all/allow-exceptionally, with only css/img whitelisted. So allowing javascript automatically is a reduction in security compared to the natural, reference state.
When using "Auto whitelist page domain." option for example on "foobar.com.uk" the whitelisted domain is "com.uk" Also this option is not exactly "Less security". I use it together with everything blacklisted, except css and img, resulting in only current domain css and img loaded.