[or-cvs] [https-everywhere/master] better protect against SSL stripping, and escape dots
schoen at torproject.org
schoen at torproject.org
Thu Nov 11 20:49:35 UTC 2010
Author: Seth Schoen <schoen at eff.org>
Date: Thu, 11 Nov 2010 12:49:10 -0800
Subject: better protect against SSL stripping, and escape dots
Commit: 26f8caa42aeec6397ac948eb78ac984da48fed9f
---
src/chrome/content/rules/Live.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/chrome/content/rules/Live.xml b/src/chrome/content/rules/Live.xml
index 2649560..e6acb2a 100644
--- a/src/chrome/content/rules/Live.xml
+++ b/src/chrome/content/rules/Live.xml
@@ -8,14 +8,14 @@
<!-- Microsoft itself protects the login this way but we can prevent
against SSL stripping. -->
- <rule from="^http://(login|onecare)\.live\.com/" to="https://$1.live.com/"/>
+ <rule from="^http://(login|onecare|mail)\.live\.com/" to="https://$1.live.com/"/>
<!-- Both of these appear to trigger two good things: (1) the user is
prompted to make HTTPS the default; (2) even if the user decides
not to, the remainder of that mail-reading session is automatically
HTTPS-only. -->
<rule from="^http://(www\.)hotmail\.com/" to="https://www.hotmail.com/"/>
- <rule from="^http://([^@:/]+)\.([^@:/]+)\.mail.live.com/" to="https://$2.mail.live.com/"/>
+ <rule from="^http://([^@:/]+)\.([^@:/]+)\.mail\.live\.com/" to="https://$2.mail.live.com/"/>
<!-- example:
http://sn133w.snt133.mail.live.com/default.aspx?wa=wsignin1.0 >>>
https://snt133.mail.live.com/default.aspx?wa=wsignin1.0 -->
--
1.7.1
More information about the tor-commits
mailing list