Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #5676
Closed (moved) (moved)
Open
Issue created Apr 26, 2012 by Trac@tracbot

HTTPS rewriting is bypassed if DNS root is explicitly specified

If you go to a URL such as http://www.google.com./ HTTPS-Everywhere will not switch to HTTPS. This is a legal DNS value, technically but not practically distinct from http://www.google.com/ and as such, it should be handled similarly.

On the other hand, it is sometimes useful to have an "escape hatch" to disable HTTPS rewriting for just one pageload (e.g. Google's doodles don't show under HTTPS in my experience). However, that hatch ought to have better affordances if it's to continue existing at all. As it is, this is potentially a social engineering vulnerability (although I'm not sure how practical such a hypothetical attack might be; it would probably need to be targeted at a particular individual).

Trac:
Username: NYKevin

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking