Merge branch 'master' into disable-rulesets-june-2015-a

jsha · jsha · commit 1f17e670163f · 2015-06-24T14:37:44.000-07:00
diff --git a/src/chrome/content/rules/AmazonAWS.xml b/src/chrome/content/rules/AmazonAWS.xml
@@ -125,6 +125,11 @@ Non-2xx HTTP code: http://ec2.images-amazon.com/ (200) => https://images-na.ssl-
 			Breaks soundsjustlike.com audio:
 							-->
 		<exclusion pattern="^http://badracket-website\.s3\.amazonaws\.com/swf/soundmanager\d_flash\d\.swf" />
+		<!--
+			Breaks premiumbeat.com preview player
+							-->
+		<exclusion pattern="^http://s3\.amazonaws\.com/pb_(sfx_)?previews/" />
+
 		<!--
 			https://trac.torproject.org/projects/tor/ticket/7857
 
@@ -324,6 +329,7 @@ Non-2xx HTTP code: http://ec2.images-amazon.com/ (200) => https://images-na.ssl-
 <test url="http://darkskysatellitemaps.s3.amazonaws.com/" />
 <test url="http://ecx.images-amazon.com/" />
 <test url="http://amazon-zg.s3.amazonaws.com/" />
-
+<test url="http://s3.amazonaws.com/pb_previews/" />
+<test url="http://s3.amazonaws.com/pb_sfx_previews/" />
 
 </ruleset>
diff --git a/src/chrome/content/rules/CSIRO.xml b/src/chrome/content/rules/CSIRO.xml
diff --git a/src/chrome/content/rules/Google_App_Engine.xml b/src/chrome/content/rules/Google_App_Engine.xml
@@ -14,12 +14,23 @@ Non-2xx HTTP code: http://appspot.com/ (200) => https://appspot.com/ (404)
 			Redirects to http for some reason.
 								-->
 		<exclusion pattern="^http://photomunchers\.appspot\.com/" />
+		<test url="http://photomunchers.appspot.com/" />
+		<!--
+			Starbucks captive portals use this name internally,
+			but don't have a local key / cert for it (which is a
+			good thing). If we rewrite to HTTPS, we break access
+			to the captive portal, making it impossible to get
+			access to the Internet.
+			https://github.com/EFForg/https-everywhere/issues/1958#issuecomment-113695158
+		-->
+		<exclusion pattern="^http://sbux-portal\.appspot\.com/" />
+		<test url="http://sbux-portal.appspot.com/" />
 
 
 	<securecookie host="^.+\.appspot\.com$" name=".+" />
 
 
-	<rule from="^http://([^@:\./]+\.)?appspot\.com/"
-		 to="https://$1appspot.com/" />
+	<rule from="^http:"
+		 to="https:" />
 
-</ruleset>
+</ruleset>
diff --git a/src/chrome/content/rules/League_of_Legends.com.xml b/src/chrome/content/rules/League_of_Legends.com.xml
@@ -31,10 +31,11 @@
 
 		- euw ¹
 		- na ¹
+		- forums.(na|euw) ¹
 		- community.na ²
 		- competitive.na ³
 
-	¹ Redirects to http, valid cert
+	¹ 500
 	² Refused
 	³ 503, akamai
 
@@ -45,14 +46,16 @@
 		- gameinfo.euw ¹
 		- gameinfo.na ¹
 		- prized.na ²
+		- metrics ³
+		- status ³
 
 	¹ cloudfront
 	² Works; mismatched, CN: *.gotpantheon.com
+	³ mismatch
 
 
 	Partially covered subdomains:
 
-		- forums.na *
 		- signup *
 
 	* Some pages redirect to http
@@ -65,6 +68,8 @@
 		- pbesignup.euw
 		- pbesignup.na
 		- support
+		- account
+		- ddragon
 
 	* → dx0wf1fepagqw.cloudfront.net
 
@@ -91,28 +96,24 @@
 <ruleset name="League of Legends.com (partial)">
 
 	<target host="leagueoflegends.com" />
-	<target host="*.leagueoflegends.com" />
-		<!--
-			Redirect to http:
-						-->
-		<!--exclusion pattern="^http://forums\.na\.leagueoflegends\.com/board/($|\?)" /-->
-		<!--exclusion pattern="^http://signup\.leagueoflegends\.com/+((en/home/index|en/signup/redownload|en/signup/redownload)($|\?))" /-->
-		<!--
-			Exceptions:
-					-->
-		<exclusion pattern="^http://forums\.na\.leagueoflegends\.com/board/riot-assets/" />
-		<exclusion pattern="^http://signup\.leagueoflegends\.com/+(?!en/signup(?:$|\?|/captcha/)|favicon\.ico|theme/)" />
+	<target host="signup.leagueoflegends.com" />
+	<target host="support.leagueoflegends.com" />
+	<target host="www.leagueoflegends.com" />
+	<target host="pbesignup.na.leagueoflegends.com" />
+	<target host="pbesignup.euw.leagueoflegends.com" />
+	<target host="account.leagueoflegends.com" />
+	<target host="ddragon.leagueoflegends.com" />
+	<target host="cdn.leagueoflegends.com" />
 
 
 	<!--	Server sets Secure for:
 					-->
 	<!--securecookie host="^support\.leagueoflegends\.com$" name=".+" /-->
 
-
-	<rule from="^http://((?:pbesignup\.(?:euw|na)|forums\.na|signup|support|www)\.)?leagueoflegends\.com/"
-		to="https://$1leagueoflegends.com/" />
-
 	<rule from="^http://cdn\.leagueoflegends\.com/"
 		to="https://dx0wf1fepagqw.cloudfront.net/" />
+	
+	<rule from="^http:"
+		to="https:" />
 
 </ruleset>
diff --git a/src/chrome/content/rules/Spiegel.xml b/src/chrome/content/rules/Spiegel.xml
@@ -17,6 +17,8 @@
 		- forum
 		- tvprogramm
 		- wetter	(cert: plesk; shows default Parallels Plesk page)
+		- shop
+		- wissen
 
 -->
 <ruleset name="Spiegel (partial)">
@@ -35,10 +37,26 @@
 	<rule from="^http://(?:cdn\d?\.)?spiegel\.de/"
 		to="https://www.spiegel.de/" />
 
-	<rule from="^http://www\.spiegel\.de/(images/|img/|layout/|static/|staticgen/)"
+	<rule from="^http://www\.spiegel\.de/(images/|pics/|layout/|static/|staticgen/)"
 		to="https://www.spiegel.de/$1" />
 
-	<rule from="^http://(abo|count|magazin|shop|wissen)\.spiegel\.de/"
+	<!-- exclude static/flash from rule above to make videos work properly -->
+	
+	<exclusion pattern="^http://www\.spiegel\.de/static/flash/" />
+
+	<rule from="^http://(abo|count|magazin)\.spiegel\.de/"
 		to="https://$1.spiegel.de/" />
+	
+	<test url="http://www.spiegel.de/images/image-429070-thumbsmall-mmtp.png" />
+	<test url="http://www.spiegel.de/pics/43/0,1020,308043,00.jpg" />
+	<test url="http://www.spiegel.de/layout/jscfg/http/global-V6-7.js" />
+	<test url="http://www.spiegel.de/static/sys/dimensionspixel.gif" />
+	<test url="http://www.spiegel.de/staticgen/fussballticker/heatmaps/BUNDESLIGA/201213/18/spiegel_heatmap_138361_35099_440_330.jpg" />
+	<test url="http://abo.spiegel.de/" />
+	<test url="http://abo.spiegel.de/" />
+	<test url="http://count.spiegel.de/" />
+	<test url="http://magazin.spiegel.de/" />
+	<test url="http://www.spiegel.de/static/flash/flashvideo/homadconfig.json" />
+	
 
 </ruleset>
diff --git a/src/chrome/content/rules/Stack-Exchange.xml b/src/chrome/content/rules/Stack-Exchange.xml
@@ -70,12 +70,6 @@
 	<!-- Stackoverflow -->
 	<target host="chat.stackoverflow.com" />
 	<target host="careers.stackoverflow.com" />
-		<!-- These two have mixed active content over https - there is also a downgrade rule below -->
-		<exclusion pattern="^http://careers\.stackoverflow\.com/(cities|employer)"/>
-		<test url="http://careers.stackoverflow.com/cities/san-francisco/" />
-		<test url="http://careers.stackoverflow.com/employer/" />
-		<test url="https://careers.stackoverflow.com/cities/san-francisco/" />
-		<test url="https://careers.stackoverflow.com/employer/" />
 	<target host="ja.stackoverflow.com" />
 	<target host="meta.stackoverflow.com" />
 	<target host="pt.stackoverflow.com" />
@@ -141,9 +135,6 @@
 <!-- Rules -->
 	
 	<!-- https links from other pages to these will cause MCB for important elements, hence the downgrades -->
-	<rule from="^https://careers\.stackoverflow\.com/(cities|employer)" 
-		to="http://careers.stackoverflow.com/$1" downgrade="1" />
-		
 	<rule from="^https://([\w.-]+)\.([\w-]+)\.stackexchange\.com/" 
 		to="http://$1.$2.stackexchange.com/" downgrade="1" />
 	
diff --git a/src/chrome/content/rules/StartCom.xml b/src/chrome/content/rules/StartCom.xml
@@ -15,7 +15,9 @@ Fetch error: http://auth.startssl.com/ => https://auth.startssl.com/: (35, 'erro
   <target host="*.startssl.eu" />
   <target host="startssl.us" />
   <target host="*.startssl.us" />
-  <!-- host startcom.org responds neither on 80 nor on 443 -->
+  <!-- host startcom.org responds neither on 80 nor on 443,
+    but should be protected from MitM and redirected to https://www.startcom.org -->
+  <target host="startcom.org" />
   <target host="*.startcom.org" />
 
   <!-- since these resources are required for establishing HTTPS connections,
@@ -55,6 +57,11 @@ Fetch error: http://auth.startssl.com/ => https://auth.startssl.com/: (35, 'erro
   <test url="http://www.startssl.org/" />
   <test url="http://www.startssl.eu/" />
   <test url="http://www.startssl.us/" />
+  
+  <test url="http://startcom.org/" />
 
+  <!-- host startcom.org responds neither on 80 nor on 443,
+    but should be protected from MitM and redirected to https://www.startcom.org -->
+  <rule from="^http://startcom\.org/" to="https://www.startcom.org/" />
   <rule from="^http:" to="https:" />
 </ruleset>
diff --git a/src/chrome/content/rules/Tilt.com.xml b/src/chrome/content/rules/Tilt.com.xml
@@ -1,18 +1,4 @@
 <!--
-	NB: Tor users cannot view* this website due to CloudFlare settings.
-
-	See:
-
-		- https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users
-		- https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-
-		- https://support.cloudflare.com/hc/en-us/articles/200170206-How-do-I-turn-I-m-Under-Attack-mode-on-
-
-	* without enabling javascript, for security and privacy implications see e.g.:
-
-		- https://www.mozilla.org/security/known-vulnerabilities/firefox.html
-		- https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
-		- https://panopticlick.eff.org
-
 
 	Fully covered domains:
 
@@ -28,7 +14,6 @@
 
 	* Per-account domains
 
-
 	Insecure cookies are set for these domains:
 
 		- .tilt.com
@@ -39,18 +24,13 @@
 	<target host="tilt.com" />
 	<target host="*.tilt.com" />
 
-		<test url="http://blog.tilt.com/" />
-		<test url="http://open.tilt.com/" />
-		<test url="http://questions.tilt.com/" />
-		<test url="http://www.tilt.com/" />
-
-
-	<!--	CloudFlare cookies:
-					-->
-	<!--securecookie host="^\.tilt\.com$" name="^(__cfduid|cf_clearance)$" /-->
-
-	<securecookie host="^\.tilt\.com$" name="^(?:__cfduid|cf_clearance)$" />
+	<exclusion pattern="^http://stories\.tilt\.com" />
+	<exclusion pattern="^http://engineering\.tilt\.com" />
 
+	<test url="http://blog.tilt.com/" />
+	<test url="http://open.tilt.com/" />
+	<test url="http://questions.tilt.com/" />
+	<test url="http://www.tilt.com/" />
 
 	<rule from="^http://([\w-]+\.)?tilt\.com/"
 		to="https://$1tilt.com/" />
diff --git a/src/chrome/content/rules/Wikimedia.xml b/src/chrome/content/rules/Wikimedia.xml
@@ -114,8 +114,6 @@ Fetch error: http://ganglia.wmflabs.org/ => https://ganglia.wmflabs.org/: (6, 'C
 
 	<!-- Wikimedia Tool Labs -->
 	<target host="tools.wmflabs.org" />
-	<target host="icinga.wmflabs.org" />
-	<target host="ganglia.wmflabs.org" />
 	<target host="accounts.wmflabs.org" />
 	<target host="reportcard.wmflabs.org" />
 
