Replies: 0 comments 5 replies
-
Perhaps you could ask @EFForg folks how they came up with a strategy for https://github.com/EFForg/https-everywhere ? |
Beta Was this translation helpful? Give feedback.
-
Am I getting this correctly? A flaw is reported in the cases that can't be fixed by the user? I would have thought that the flaw would appear if the domain can be forced but the link is using http. Obviously we'll miss any case we haven't got in our list of "can be forced" domains.
Note that this would be the rendered URL but I would expect the in-source URL to be In any case, the idea behind your suggestion seems solid to me. PS Back on deck tomorrow and will look at any unapproved PRs for me then. |
Beta Was this translation helpful? Give feedback.
-
Let's be more clear. It's only going to be a flaw if the |
Beta Was this translation helpful? Give feedback.
-
Hey, now there's a pull request to resolve this: mdn/yari#3657 |
Beta Was this translation helpful? Give feedback.
-
I don't see a way to "close" a discussion but as of mdn/yari#3657 we have a solution. If anything, the next action is to keep hunting for |
Beta Was this translation helpful? Give feedback.
-
Here's how it currently works in Yari
Any and every external URL is always forcibly converted to
https://
no matter if that external domain as a valid TLS cert.becomes:
(note the extra
s
on thehref
value)The problem
What happens is that, for example, http://visualiser.fr/babylon/crowd was working but https://visualiser.fr/babylon/crowd isn't.
Now our users are presented with external hyperlinks that don't work but would have worked if we just left them alone.
Our security worries have probably gone too far! And (together with my Yari PR reviewers) I apologize for that for it was my design. Sorry. Yes, we are Mozilla and we really want a secure web, but I think this went a bit too far.
The other problem is that it's hard to know if a URL is going to work if you force it to HTTPS. It's a timely and fragile calculation that we can't conceivably do every single time for every single link in tens of thousands of documents.
Proposed solution
Let's not automatically force all external http:// URLs to https:// anymore. Let's do something a bit smarter.
Last week, I ran a complete build to get a complete list of every possible
http://
link and for each and every domain in that list I have used a Python script to painstakingly test if switching tohttps://
would work.@hamishwillee and I have been using this script output to slowly roll out mass fixes to the mdn/content repo for the domains we know it will definitely work for. See this search for PRs
My suggestion is to check in the
.json
file it built into Yari and use this in Yari building and the flaw system.So if a page has a
<a href="http://....">
link, if that domain can't be forced tohttps://
it will stand out as a flaw.So that only affects the flaw system (which is exposed in the PR Review Companion).
Alongside with this, we'll stop automatically and forcibly turn all
http://
links tohttps://
at build-time.Beta Was this translation helpful? Give feedback.
All reactions