"Auto whitelist page domain." is whitelisting top-level domains (com.uk)

gorhill / httpswitchboard

Point & click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook, etc.

GNU General Public License v3.0

1.33k stars 84 forks source link

"Auto whitelist page domain." is whitelisting top-level domains (com.uk) #382

Closed eduardoeae closed 10 years ago

eduardoeae commented 10 years ago

When using "Auto whitelist page domain." option for example on "foobar.com.uk" the whitelisted domain is "com.uk" Also this option is not exactly "Less security". I use it together with everything blacklisted, except css and img, resulting in only current domain css and img loaded.

gorhill commented 10 years ago

Woa that's bad, definitely not supposed to happen. Investigating.

gorhill commented 10 years ago

Ok, I didn't see this behavior. HTTPSB uses Mozilla's Public Suffix List ("PSL"), so that definitely should not happen. I need more details, and steps to reproduce. If you meant that literally with foobar.com.uk, HTTPSB whitelists com.uk, well that would be the expected behavior, because com.uk is not a suffix as per PSL, co.uk is.

gorhill commented 10 years ago

Here, I am transcribing the public suffix for uk:

uk
ac.uk
co.uk
gov.uk
ltd.uk
me.uk
net.uk
nhs.uk
org.uk
plc.uk
police.uk
*.sch.uk

com.uk is not there, and the only match is uk, thus com.uk is a valid domain.

gorhill commented 10 years ago

Also this option is not exactly "Less security"

Forgot to comment on this one. HTTPSB's natural state is block-all/allow-exceptionally, with only css/img whitelisted. So allowing javascript automatically is a reduction in security compared to the natural, reference state.