Https-everywhere: Rule exclusions and carets

Created on 8 Feb 2020  路  2Comments  路  Source: EFForg/https-everywhere

Some hostname exclusions do start with a caret, and some without (and there are a handful which are about path/query matches).

> grep '<exclusion' *.xml | grep '="^' | wc -l
2392
> grep '<exclusion' *.xml | grep '="http' | wc -l
89
> grep '<exclusion' *.xml | grep -v '="h' | grep -v '="^'
CAcert.xml:     <exclusion pattern="\.crt" />
CAcert.xml:     <exclusion pattern="\.crl" />
Cloudfront.xml: <exclusion pattern="&amp;Signature=" />
Ooyala.xml:             <exclusion pattern="crossdomain\.xml$" />
Roundhouse.xml: <exclusion
StartCom.xml:  <exclusion pattern="ocsp\.startssl" />
StartCom.xml:  <exclusion pattern="\.crl$" />
StartCom.xml:  <exclusion pattern="\.crt$" />
wlresources.com.xml:            <exclusion pattern="\.js(?:$|\?)" />

I guess it does not matter as http:// and / appearing elsewhere in the URL should be percent encoded, but it would be good to have enforced consistency. Beginning them with ^ should improve performance.

ruleset-bug
Source
picture jayvdb
👍2

Most helpful comment

@jayvdb Nice catch! @zoracon Should we disallow this in ruleset test?

picture pipboy96 on 8 Feb 2020
👍2

All 2 comments

@jayvdb Nice catch! @zoracon Should we disallow this in ruleset test?

pipboy96 picture pipboy96 on 8 Feb 2020
👍2

UPDATE There is currently no rule to enforce a beginning ^ or tailing $ in the schema we use, see schema.xml#40. In #15917, it did not require whitelisting to merge such exclusions. I agree it is a good idea to disallow such exclusions.

~I think that exclusion without a leading ^ will fail the rules tests, and these rulesets are whitelisted at the moment.~ However, I agree that some exclusions are too generic (without specifying ^ and $). The following exclusion should be rewritten:

CAcert.xml:     <exclusion pattern="\.crt" />
CAcert.xml:     <exclusion pattern="\.crl" />
Cloudfront.xml: <exclusion pattern="&amp;Signature=" />
Ooyala.xml:             <exclusion pattern="crossdomain\.xml$" />
Roundhouse.xml: <exclusion
StartCom.xml:  <exclusion pattern="ocsp\.startssl" />
wlresources.com.xml:            <exclusion pattern="\.js(?:$|\?)" />
cschanaj picture cschanaj on 9 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

austin987 picture austin987  路  5Comments
cschanaj picture cschanaj  路  4Comments
J0WI picture J0WI  路  3Comments
anonsubmitter picture anonsubmitter  路  5Comments
cschanaj picture cschanaj  路  4Comments