-
Michael Catanzaro authored
It's experimental and not supposed to be enabled, but got turned on in Arch, so best move it to a sidebranch for now. I'm not sure if we'll ever bring it back, though. HTTPS Everywhere was a great idea a few years ago, when it was common for websites to offer experimental support for HTTPS but not redirect users to it automatically. Nowadays, such websites almost always problems, such as blocked mixed content or invalid HTTPS certificates, or have disabled HTTPS since the ruleset was written. That means, to do this right, we have to ignore TLS errors -- including in subresources -- and disable mixed content blocking. This scheme to preserve web compatibility needs to be implemented before we consider bringing it back. Meanwhile, more and more websites are redirecting to HTTPS and are nowadays configured to handle this correctly, so the necessity of HTTPS Everywhere is lower now than ever before, and decreasing fast. Moreover, if a website implements its own proper support for HTTPS and starts automatically redirecting users to it, but the ruleset is not updated, then under the scheme I propose above, the ruleset would become a way of *reducing* security for websites once they've begun to support HTTPS. So I'm skeptical that we should bring this back at all. Times, they are a-changing. https://bugzilla.gnome.org/show_bug.cgi?id=794803
3ef21f14