Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling on specific host should reload page from HTTPS #864

Open
lidel opened this issue Apr 9, 2020 · 0 comments
Open

Disabling on specific host should reload page from HTTPS #864

lidel opened this issue Apr 9, 2020 · 0 comments
Labels
effort/hours Estimated to take one or several hours exp/beginner Can be confidently tackled by newcomers good first issue Good issue for new contributors help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws) P2 Medium: Good to have, but can wait until someone steps up status/ready Ready to be worked topic/security Work related to security

Comments

@lidel
Copy link
Member

lidel commented Apr 9, 2020

Filling from mobile so we don't forget. Good first issue if someone wants to fix this via a PR before I get to it next week.

Right now, when IPFS integrations are disabled via a toggle, extension assumes http://.

Most servers redirect http://https://, or have HSTS set up, but Companion should default to https://, because if someone did not set up redirect to a secure context, there is a risk of the same website being loaded from http.

Easy fix is to use https:// in the line below:

https://github.com/ipfs-shipyard/ipfs-companion/blob/06227a244d357e2969b52f01dda8ee13df286446/add-on/src/popup/browser-action/store.js#L196
@lidel lidel added kind/bug A bug in existing code (including security flaws) help wanted Seeking public contribution on this issue good first issue Good issue for new contributors P2 Medium: Good to have, but can wait until someone steps up status/ready Ready to be worked exp/beginner Can be confidently tackled by newcomers effort/hours Estimated to take one or several hours labels Apr 9, 2020
@lidel lidel changed the title Toggling enable on <hostname> should default to HTTPS Disabling on specific host should reload page from HTTPS Apr 9, 2020
@lidel lidel added the topic/security Work related to security label Apr 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort/hours Estimated to take one or several hours exp/beginner Can be confidently tackled by newcomers good first issue Good issue for new contributors help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws) P2 Medium: Good to have, but can wait until someone steps up status/ready Ready to be worked topic/security Work related to security
Projects
No open projects
IPFS-GUI (PL EngRes)
Status: Needs Grooming
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lidel