Skip to content
This repository has been archived by the owner on Sep 2, 2021. It is now read-only.

Fix HTTPS Everywhere #143

Open
wants to merge 2 commits into
base: gh-pages
Choose a base branch
from

Conversation

marcelgerber
Copy link
Contributor

... by directly requesting https version of update info
For #138

@peterflynn
Copy link
Member

I guess the question is, do we want to modify our page just to work around a (hopefully temporary) bug in a browser extension? How widely used is this extension? (I hadn't heard of it before the bug was reported)

Also, would we need to make any other changes for this to fully work? The extension bug indicates that it also frequently breaks analytics (which is important for download counts) and webfonts (which we might also be loading from a different domain?).

@peterflynn
Copy link
Member

I wonder if an alternative fix would be to just make sure our links don't totally fail when the JSON update feed is unavailable. That also wouldn't fix any other parts of the page broken by HTTPS Everywhere, but OTOH it would benefit other cases rather than being a workaround specific to this one extension.

@marcelgerber
Copy link
Contributor Author

We already default the big hero download button to the GitHub releases page, and yes, it won't hurt to do the same for the "Download Brackets without Extract" button, too.

I had heard of HTTPS Everywhere before, but never used it myself.
I guess this fix won't hurt, and we don't need to do anything else to make it work.

I don't know about analytics right now, but yeah, that's possible. I quickly looked at the list of hosts the addon forces HTTPS for on our page, and it showed Google Analytics and Amazon S3 Web Services (which causes this issue). So, it definitely doesn't impact webfont loading, at least.

@anewuser
Copy link

anewuser commented Mar 6, 2015

@peterflynn There's no info on the number of users on Firefox because they don't offer it through the Mozilla website (here's the official explanation) , but HTTPS Everywhere is very popular among privacy-minded people. According to their official repositories, the Chrome version has 794,630 users, and the Opera version has 190,075 users.

@marcelgerber
Copy link
Contributor Author

@peterflynn I've attached a patch to default the download button(s) to the GitHub releases page.
I've left the other fix in - in case you don't wanna take it, tell me and I'll remove it.

I've changed the default URL of the big hero download button to https://github.com/adobe/brackets/releases as well, as we can't decide whether releases/latest is the Extract build or not.

@jsha
Copy link

jsha commented Mar 8, 2015

Hi @peterflynn! I'm the current maintainer for HTTPS Everywhere. Apologies for the CORS bug (EFForg/https-everywhere#49) causing issues on your site. I'm definitely planning to fix it, but our developer time at EFF is extremely limited, the bug is a bit complex and not yet fully understood, and it may be a little while before I can roll out a fix. However, I will treat this issue as bumping up the priority.

I'd recommend updating these URLs to the secure version anyhow, because it's one more step on the road to making your site use HTTPS by default for all pages, which we at EFF strongly believe is the direction the web is moving. Chrome has even started planning for the day when they can indicate HTTP URLs with the same insecure marker they use for HTTPS sites with a bad certificate.

Thanks,
Jacob

@ficristo
Copy link
Collaborator

I don't know about the analytics side but I would not rely on relative URLs.
I would prefer to be always explicit on using https.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants