Merge branch '4.0' of github.com:EFForg/https-everywhere into 4.0

jsha · jsha · commit 61e557b5a6fe · 2014-11-25T18:02:34.000-08:00
diff --git a/src/chrome/content/rules/Bet365-Group.xml b/src/chrome/content/rules/Bet365-Group.xml
@@ -1,10 +1,14 @@
 <!--	!functional:
 		- imstore	(banners included on 3rd-party websites)
+		- members.bet365.com ²
+
+	² Blank page
+
 -->
 <ruleset name="bet365 Group (partial)">
 
 	<target host="bet365.com"/>
-	<target host="*.bet365.com"/>
+	<target host="www.bet365.com"/>
 	<target host="bet365affiliates.com"/>
 	<target host="www.bet365affiliates.com"/>
 
@@ -14,9 +18,6 @@
 	<rule from="^http://(?:www\.)?bet365\.com/"
 		to="https://www.bet365.com/"/>
 
-	<rule from="^http://members\.bet365\.com/"
-		to="https://members.bet365.com/"/>
-
 	<rule from="^http://(?:www\.)?bet365affiliates\.com/"
 		to="https://www.bet365affiliates.com/"/>
 
diff --git a/src/chrome/content/rules/Blockchain.info.xml b/src/chrome/content/rules/Blockchain.info.xml
@@ -0,0 +1,38 @@
+<!--
+	blog is handled in WordPress-blogs.xml.
+
+
+	Problematic subdomains:
+
+		- blog *
+
+	* Wordpress
+
+
+	Observed cookie domains:
+
+		- . ¹
+		- markets ²
+
+	¹ Some secured by server, others by us
+	² Secured by us
+
+-->
+<ruleset name="Blockchain.info">
+
+	<target host="blockchain.info" />
+	<target host="*.blockchain.info" />
+
+
+	<!--	Not secured by server:
+					-->
+	<!--securecookie host="^markets\.blockchain\.info$" name="^_bitcoinity_session$" /-->
+
+	<securecookie host="^(?:markets)?\.blockchain\.info$" name=".+" />
+
+
+	<rule from="^http://((?:markets|static|www)\.)?blockchain\.info/"
+		to="https://$1blockchain.info/" />
+
+</ruleset>
+<!-- Rule generated by HTTPS Finder 0.85 -->
diff --git a/src/chrome/content/rules/CDT.xml b/src/chrome/content/rules/CDT.xml
@@ -10,9 +10,8 @@
 	<securecookie host="^\.cdt\.org$" name=".*" />
 
 
-	<!--	Cert only matches www.	-->
-	<rule from="^https?://(?:www\.)?cdt\.org/"
-		to="https://www.cdt.org/" />
+	<rule from="^http://(www\.)?cdt\.org/"
+		to="https://$1cdt.org/" />
 
 	<rule from="^http://(www\.)?notwithoutawarrant\.com/"
 		to="https://$1notwithoutawarrant.com/" />
diff --git a/src/chrome/content/rules/Cloudfront.xml b/src/chrome/content/rules/Cloudfront.xml
@@ -1,35 +1,16 @@
 <ruleset name="Cloudfront">
-  <target host="www.cloudfront.net" />
+  <target host="cloudfront.net" />
   <target host="*.cloudfront.net" />
 
   <rule from="^http://([^/:@\.]+)\.cloudfront\.net/"  to="https://$1.cloudfront.net/"/>
-  <!-- Deal with https://trac.torproject.org/projects/tor/ticket/6848 -->
-  <exclusion pattern="^http://d1b14unh5d6w7g\.cloudfront\.net" />
-  <!-- https://trac.torproject.org/projects/tor/ticket/7020 -->
-  <exclusion pattern="^http://d1i6vahw24eb07\.cloudfront\.net" />
-  <!-- C-SPAN videos: https://trac.torproject.org/projects/tor/ticket/7567 -->
-  <exclusion pattern="^http://d1k4es7bw1lvxt\.cloudfront\.net" />
-  <!-- this unbreaks turntable.fm and probably many other things-->
-  <exclusion pattern="^http://d1bw0qpdrmjlhz\.cloudfront\.net" />
-	<!--
-		This breaks padlet.com wall:
 
-			https://trac.torproject.org/projects/tor/ticket/9146
+	<!--
+		and this is a generalised precaution from turntable.fm
 									-->
-	<exclusion pattern="^http://d2s8n7nv9yizdf\.cloudfront\.net/assets/extras-\w{32}\.js" />
-  <!-- and this is a generalised precaution from turntable.fm -->
-  <exclusion pattern="^http://([^/:@\.]+)\.cloudfront\.net/crossdomain\.xml" />
-  <!-- Spotify https://trac.torproject.org/projects/tor/ticket/7888 -->
-  <exclusion pattern="^http://dsu0uct5x2puz\.cloudfront\.net" />
-  <!-- Droplr: https://trac.torproject.org/projects/tor/ticket/8572 -->
-  <exclusion pattern="^http://d1zjcuqflbd5k\.cloudfront\.net" />
-  <!-- TuneIn: https://trac.torproject.org/projects/tor/ticket/8704 -->
-  <exclusion pattern="^http://d3bwsr3zpy54hy\.cloudfront\.net" />
-  <!-- Amazon mp3: https://trac.torproject.org/projects/tor/ticket/9367 
-                   https://trac.torproject.org/projects/tor/ticket/9851 -->
-  <exclusion pattern="^http://d2q1srilgjznst\.cloudfront\.net" />
-  <exclusion pattern="^http://d28julafmv4ekl\.cloudfront\.net" />
+	<exclusion pattern="^http://(?:[^/:@\.]+)\.cloudfront\.net/crossdomain\.xml" />
 
-  <!-- Panelsyndicate: https://github.com/EFForg/https-everywhere/issues/650 -->
-  <exclusion pattern="^http://d2h7a0a3c1074f\.cloudfront\.net" />
+  <!-- See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html
+    Policies contain the protocol, so a signature for http will not work for https
+  -->
+  <exclusion pattern="&amp;Signature=" />
 </ruleset>
diff --git a/src/chrome/content/rules/Eventbrite.xml b/src/chrome/content/rules/Eventbrite.xml
@@ -1,9 +1,18 @@
-<ruleset name="Eventbrite">
+<!--
+	Nonfunctional domains:
+
+		- help.eventbrite.co.uk *
+
+	* Refused
+
+-->
+<ruleset name="Eventbrite (partial)">
 
 	<target host="eventbrite.com" />
 	<target host="*.eventbrite.com" />
 	<target host="eventbrite.co.uk" />
 	<target host="*.eventbrite.co.uk" />
+		<exclusion pattern="^http://help\.eventbrite\.co\.uk/" />
 
   <!--
   https://trac.torproject.org/projects/tor/ticket/8056
diff --git a/src/chrome/content/rules/Fasthosts.xml b/src/chrome/content/rules/Fasthosts.xml
@@ -26,7 +26,7 @@
 		favicon picked simply because it is
 		(or should be) innocuous:
 						-->
-	<rule from="^http://www\.fasthosts\.co\.uk/js/track\.js"
+	<rule from="^https://www\.fasthosts\.co\.uk/js/track\.js"
 		to="https://www.fasthosts.co.uk/favicon.ico" />
 
 	<!--	Cert only matches www.	-->
diff --git a/src/chrome/content/rules/Hewlett-Packard.xml b/src/chrome/content/rules/Hewlett-Packard.xml
@@ -20,6 +20,14 @@
 
 	² http reply
 
+
+	Partially covered domains:
+
+		- store.hp.com *
+
+	* Some pages redirect to http
+
+
 -->
 <ruleset name="HP (buggy?)" default_off="testing">
 
@@ -30,7 +38,7 @@
 	<target host="secure.hp-ww.com" />
 	<target host="hp.com" />
 	<target host="*.hp.com" />
-		<exclusion pattern="^http://h22207\.austin\.hp\.com" />
+		<exclusion pattern="^http://(?:h(?:22166|22207|30499|30507|50146|71000)\.austin|hpl|reimagine)\.hp\.com" />
 
 	<exclusion pattern="^http://m\.hp\.com"/>
 	<exclusion pattern="^http://welcome\.hp\.com"/>
@@ -41,6 +49,11 @@
 	<exclusion pattern="^http://h30261\.www3\.hp\.com"/>
 	<exclusion pattern="^http://h30434\.www3\.hp\.com"/>
 
+		<!--
+			At least some redirects 404:
+							-->
+		<exclusion pattern="^http://shopping1\.hp\.com/(?!is-bin/)" />
+		<exclusion pattern="^http://store\.hp\.com/webapp/wcs/stores/servlet(?:$|[?/])" />
 		<!--
 			404 over https:
 					-->
diff --git a/src/chrome/content/rules/Mozilla.xml b/src/chrome/content/rules/Mozilla.xml
@@ -49,6 +49,7 @@
 			- view.e ³
 			- graphs ²
 			- planet ²
+			- mig ²
 			- releases ³
 			- sfx-images ²		(banners)
 			- start ²
@@ -264,7 +265,7 @@
 		<!--
 			https://mail1.eff.org/pipermail/https-everywhere-rules/2013-July/001649.html
 													-->
-		<exclusion pattern="^http://(?:bonsai|browserquest|trychooser\.pub\.build|dxr|graphs|krakenbenchmark|planet|releases|sfx-images|start|telemetry|w(?:ebsite|ww)-archive)\.mozilla\.org/" />
+		<exclusion pattern="^http://(?:bonsai|browserquest|trychooser\.pub\.build|dxr|graphs|krakenbenchmark|mig|planet|releases|sfx-images|start|telemetry|w(?:ebsite|ww)-archive)\.mozilla\.org/" />
 		<!--
 			Breaks newsletter:
 
diff --git a/src/chrome/content/rules/Parallels.xml b/src/chrome/content/rules/Parallels.xml
@@ -5,6 +5,13 @@
 		- forum
 		- kb
 
+
+	Problematic domains:
+
+		- parallels.com *
+
+	* Mismatched, CN: sp.parallels.com
+
 -->
 <ruleset name="Parallels (partial)">
 
@@ -15,8 +22,8 @@
 	<securecookie host="^store\.parallels\.com$" name=".*"/>
 
 
-	<rule from="^http://(www\.)?parallels\.com/(favicon\.ico|file(admin|s)/|r/|typo3(conf|temp)/)"
-		to="https://$1parallels.com/$2"/>
+	<rule from="^http://(?:www\.)?parallels\.com/(favicon\.ico|file(admin|s)/|r/|typo3(conf|temp)/)"
+		to="https://www.parallels.com/$1"/>
 
 	<rule from="^http://blogs\.parallels\.com/"
 		to="https://parallelsblog.squarespace.com/"/>
diff --git a/src/chrome/content/rules/Princeton.edu.xml b/src/chrome/content/rules/Princeton.edu.xml
@@ -1,4 +1,4 @@
-<ruleset name="Princeton.edu">
+<ruleset name="Princeton.edu (buggy)" default_off="buggy">
 
 	<target host="princeton.edu" />
 	<target host="*.princeton.edu" />
diff --git a/src/chrome/content/rules/Scientific-American.xml b/src/chrome/content/rules/Scientific-American.xml
@@ -1,9 +1,21 @@
+<!--
+	^: expired
+
+-->
 <ruleset name="Scientific American (partial)" platform="mixedcontent">
 
 	<target host="sciamdigital.com" />
 	<target host="www.sciamdigital.com" />
 	<target host="scientificamerican.com" />
 	<target host="*.scientificamerican.com" />
+		<!--
+			Redirect to http:
+						-->
+		<!--exclusion pattern="^http://www\.scientificamerican\.com/article/[\w-]+/$" /-->
+		<!--
+			More conservatively:
+						-->
+		<exclusion pattern="^http://www\.scientificamerican\.com/article/" />
 
 
 	<!--	Observed cookies:
@@ -12,7 +24,7 @@
 			- ^subscribe
 			- ^www
 				-->
-	<securecookie host=".*\.scientificamerican.com$" name=".*" />
+	<securecookie host="subscribe\.scientificamerican.com$" name=".*" />
 
 
 	<!--	There may be more pages that
@@ -36,7 +48,10 @@
 	<rule from="^https?://www\.scientificamerican\.com/(.+)\.pagespeed\..*$"
 		to="https://www.scientificamerican.com/$1" />
 
-	<rule from="^http://(subscribe\.|www\.)?scientificamerican\.com/"
-		to="https://$1scientificamerican.com/" />
+	<rule from="^http://(?:www\.)?scientificamerican\.com/"
+		to="https://www.scientificamerican.com/" />
+
+	<rule from="^http://subscribe\.scientificamerican\.com/"
+		to="https://subscribe.scientificamerican.com/" />
 
 </ruleset>
diff --git a/src/chrome/content/rules/Walmart.com-falsemixed.xml b/src/chrome/content/rules/Walmart.com-falsemixed.xml
@@ -0,0 +1,16 @@
+<!--
+	For rules not causing false/broken MCB, see Walmart.com.xml.
+
+-->
+<ruleset name="Walmart.com (false MCB)" platform="mixedcontent">
+
+	<target host="help.walmart.com" />
+
+
+	<securecookie host="^help\.walmart\.com$" name=".+" />
+
+
+	<rule from="^http://help\.walmart\.com/"
+		to="https://help.walmart.com/" />
+
+</ruleset>
diff --git a/src/chrome/content/rules/Walmart.com.xml b/src/chrome/content/rules/Walmart.com.xml
@@ -1,4 +1,7 @@
 <!--
+	For rules causing false/broken MCB, see Walmart.com-falsemixed.xml.
+
+
 	Other Wal-Mart rulesets:
 
 		- ASDA.xml
@@ -15,27 +18,30 @@
 	Problematic subdomains:
 
 		- ^		(cert only matches www)
+		- help ³
 		- p13n-assets	(works, akamai)
 
+	³ Avoiding broken MCB
+
 
 	Fully covered subdomains:
 
-		- help
 		- p13n-assets	(→ akamai)
 
 
 	Observed cookie domains:
 
 		- . ¹
-		- help ² 
+		- help ¹
 		- www ¹
 
 	¹ Not secured by us <= incomplete support
-	² Secured by us
 
 
 	Mixed content:
 
+		- css on help from i2.walmartimages.com *
+
 		- Images on help from i2.walmartimages.com *
 
 	* Secured by us
@@ -53,9 +59,9 @@
 			Exceptions:
 					-->
 		<!--exclusion pattern="^http://(www\.)?walmart\.com/+(?!client_side_redirect\.gsp|cservice($|[?/])|favicon\.ico|i/|logout\.do)" /-->
-
-
-	<securecookie host="^help\.walmart\.com$" name=".+" />
+		<!--	Avoid broken MCB:
+						-->
+		 <exclusion pattern="^http://help\.walmart\.com/+(?!euf/(?:assets|rightnow)/|favicon\.ico)" />
 
 
 	<rule from="^http://(?:www\.)?walmart\.com/(?=client_side_redirect\.gsp|cservice(?:$|[?/])|favicon\.ico|i/|logout\.do)"
diff --git a/src/chrome/content/rules/Wikimedia.xml b/src/chrome/content/rules/Wikimedia.xml
@@ -4,6 +4,13 @@
 	longer the case, see https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/ ,
 	so this file is a lot simpler these days.
 
+
+	Problematic domains:
+
+		- links.email.donate.wikimedia.org *
+
+	* Mismatched, CN: *.links.mkt41.net
+
 -->
 <ruleset name="Wikimedia">
 
@@ -63,6 +70,9 @@
 	<rule from="^https?://download\.wikipedia\.org/"
 		to="https://dumps.wikimedia.org/" />
 
+	<rule from="^http://links\.email\.donate\.wikimedia\.org/"
+		to="https://www.links.mkt41.net/" />
+
 	<rule from="^https?://(download|dataset2|sitemap)\.wikimedia\.org/"
 		to="https://dumps.wikimedia.org/" />
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<ruleset name="Princeton.edu">`
	`1`	`+<ruleset name="Princeton.edu (buggy)" default_off="buggy">`
`2`	`2`
`3`	`3`	`<target host="princeton.edu" />`
`4`	`4`	`<target host="*.princeton.edu" />`