Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Feature Suggestion | HTTPS Everywhere: recommend enabling EASE mode / CSP warning for Firefox webextensions #1292

Open
Mikaela opened this issue Sep 10, 2019 · 5 comments

Comments

@Mikaela
Copy link
Member

@Mikaela Mikaela commented Sep 10, 2019

I happened to notice that I was accessing some sites, even ones that have HTTPS and even on Brave getting, over HTTP.

HTTPS Everywhere has opt-in mode Encrypt All Sites Eligible that seems useful that we could potentially recommend enabling?

Screenshot from 2019-09-11 00-20-58

@nitrohorse

This comment has been minimized.

Copy link
Member

@nitrohorse nitrohorse commented Sep 11, 2019

Great idea! Also as reference, enabling EASE is a toggle:

httpseverywhere

@Thorin-Oakenpants

This comment has been minimized.

Copy link

@Thorin-Oakenpants Thorin-Oakenpants commented Sep 11, 2019

This will use a CSP header injection that may or may not work: depending on your other extensions. Since web extensions, when two or more extensions use CSP header injection, only one will win: meaning the other extension(s) will fail to work as designed

some examples: some functions in : uBO, uMatrix, CanvasBlocker

  • read: https://github.com/ghacksuserjs/ghacks-user.js/issues/664
@Mikaela

This comment has been minimized.

Copy link
Member Author

@Mikaela Mikaela commented Sep 11, 2019

Dawidpotocki mentioned that in team chat last night and I have two open questions about it:

  • Should we have a warning about CSP header using extensions for our at least 7 extensions that can be in conflict?
  • Does this issue also affect Chromium?

https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Extensions

Edit: see also EFForg/https-everywhere#17735 via ghacks-user.js/664 ?
Edit2: related: EFForg/https-everywhere#18194 but I don't think that one affects us.

@Mikaela Mikaela added the wip label Sep 11, 2019
@Thorin-Oakenpants

This comment has been minimized.

Copy link

@Thorin-Oakenpants Thorin-Oakenpants commented Sep 11, 2019

Does this issue also affect Chromium

I don't think so: but I'm not an expert on chromium. See https://bugzilla.mozilla.org/show_bug.cgi?id=1462989#c20

gorhill:

... which actually explains why it works with Chromium

@Mikaela Mikaela changed the title ✨ Feature Suggestion | HTTPS Everywhere: recommend enabling EASE mode ✨ Feature Suggestion | HTTPS Everywhere: recommend enabling EASE mode / CSP warning for Firefox webextensions Sep 12, 2019
@blacklight447-ptio

This comment has been minimized.

Copy link
Member

@blacklight447-ptio blacklight447-ptio commented Sep 17, 2019

maybe we can add this with a trade off warning? I can see quite a few people not using umatrix, and i think most of what canvas blocker does can also be done by turning on resist fingerprinting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.