Disabling on specific host should reload page from HTTPS #864
Labels
effort/hours
Estimated to take one or several hours
exp/beginner
Can be confidently tackled by newcomers
good first issue
Good issue for new contributors
help wanted
Seeking public contribution on this issue
kind/bug
A bug in existing code (including security flaws)
P2
Medium: Good to have, but can wait until someone steps up
status/ready
Ready to be worked
topic/security
Work related to security
Right now, when IPFS integrations are disabled via a toggle, extension assumes
http://
.Most servers redirect
http://
→https://
, or have HSTS set up, but Companion should default tohttps://
, because if someone did not set up redirect to a secure context, there is a risk of the same website being loaded from http.Easy fix is to use
https://
in the line below:https://github.com/ipfs-shipyard/ipfs-companion/blob/06227a244d357e2969b52f01dda8ee13df286446/add-on/src/popup/browser-action/store.js#L196
The text was updated successfully, but these errors were encountered: