Embedded content loaded from third-party domains (for example, YouTube, Google Analytics, ad networks, or CDNs) may also be affected. You can test this by loading the web page in question in a browser with HTTPS Everywhere installed and pulling down the HTTPS Everywhere rules menu. This will show a list of HTTPS Everywhere rules that were applied as the page was loaded, including rules that might have affected embedded content from other domains.
The stable (as yet unreleased) branch contains the following rule that is enabled by default:
<!-- For other Google coverage, see GoogleServices.xml Nonfunctional domains: - hosted.gmodules.com * - img0.gmodules.com * - p.gmodules.com * * 404; mismatched, CN: *.googleusercontent.com Problematic domains: - gmodules.com (503, CN: www.google.com) - www.gmodules.com (503, CN: *.googleusercontent.com) - gstatic.com (404, valid cert) These two changed URL formats as well as domains, need to find an example of the old format in the wild: - api.recaptcha.net (→ www.google.com) - api-secure.recaptcha.net Partially covered domains: - (www.)gmodules.com (→ www.google.com) - (www.)google.com - chart.apis.google.com (→ chart.googleapis.com) Fully covered domains: - api.google.com - *.clients.google.com: - linkhelp - googleapis.com subdomains: - ajax - chart - *.commondatastorage - fonts - storage - *.storage - www - gstatic.com subdomains: - (www.) (^ → www) - csi - encrypted-tbn\d - fonts - g0 - *.metric - ssl - t\d --><ruleset name="Google APIs"> <target host="gmodules.com"/> <target host="www.gmodules.com"/> <!-- need this exclusion otherwise the test checker will use the hosts as test urls --> <exclusion pattern="^http://(www\.)?gmodules\.com/$"/> <target host="ajax.googleapis.com"/> <!-- The implicit test URL at the root of this domain generates a 404. Add an exclusion so the fetcher is happy. --> <exclusion pattern="^http://ajax\.googleapis\.com/$"/> <target host="chart.googleapis.com"/> <!-- The implicit test URL at the root of this domain generates a 404. Add an exclusion so the fetcher is happy. --> <exclusion pattern="^http://chart\.googleapis\.com/$"/> <target host="ct.googleapis.com"/> <target host="fonts.googleapis.com"/> <target host="imasdk.googleapis.com"/> <target host="maps.googleapis.com"/> <target host="www.googleapis.com"/> <target host="commondatastorage.googleapis.com"/> <target host="*.commondatastorage.googleapis.com"/> <target host="*.storage.googleapis.com"/> <target host="storage.googleapis.com"/> <target host="gstatic.com"/> <target host="*.gstatic.com"/> <securecookie host="^maps\.gstatic\.com$" name=".+"/> <!-- Captive portal detection redirects to this URL, and many captive portals break TLS, so exempt this redirect URL. See GitHub bug #368 --> <exclusion pattern="^http://www\.gstatic\.com/generate_204"/> <test url="http://www.gstatic.com/generate_204"/> <!-- Breaks digitalattackmap.com, cf. https://trac.torproject.org/projects/tor/ticket/15154 --> <exclusion pattern="^http://www\.gstatic\.com/ddos-viz/attacks\.json"/> <test url="http://www.gstatic.com/ddos-viz/attacks.json"/> <!-- Causes CORS issues on http://www.codeskulptor.org/ (try saving current file). See https://github.com/EFForg/https-everywhere/issues/1828 --> <exclusion pattern="^http://codeskulptor-user\d+\.commondatastorage\.googleapis\.com/"/> <test url="http://codeskulptor-user44.commondatastorage.googleapis.com/user44_0LxgCGWCjo_0.py"/> <test url="http://codeskulptor-user301.commondatastorage.googleapis.com/user301_nVlSk7alrk_0.py"/> <rule from="^http://(?:www\.)?gmodules\.com/ig/images/" to="https://www.google.com/ig/images/"/> <test url="http://gmodules.com/ig/images/"/> <test url="http://www.gmodules.com/ig/images/"/> <rule from="^http://(ajax|chart|ct|fonts|imasdk|maps|www)\.googleapis\.com/" to="https://$1.googleapis.com/"/> <test url="http://ajax.googleapis.com/ajax/libs/angular_material/0.8.2/angular-material.min.js"/> <test url="http://ct.googleapis.com/aviator/ct/v1/get-entries?start=0&end=1"/> <test url="http://chart.googleapis.com/chart?cht=p3&chs=250x100&chd=t:60,40&chl=Hello|World"/> <test url="http://fonts.googleapis.com/css?family=Tangerine"/> <test url="http://maps.googleapis.com/maps/ms?hl=da&ie=UTF8&msa=0&msid=213981917930555964408.00044f8886ceeef1c1b88&source=embed&ll=55.432276,9.439402&spn=0.017045,0.043774&z=14"/> <rule from="^http://([\w-]+\.)?(commondata)?storage\.googleapis\.com/" to="https://$1$2storage.googleapis.com/"/> <test url="http://chromedriver.storage.googleapis.com/"/> <test url="http://fiber.storage.googleapis.com/channels/guide/kansascity.pdf"/> <test url="http://patentimages.storage.googleapis.com/"/> <test url="http://bookmarc-binders.commondatastorage.googleapis.com/allegion/Allegion%202014%20Residential%20Product%20Catalogue%20Regent%20Series%20Knobs%20Levers_0114.pdf"/> <test url="http://bookmarc-binders.commondatastorage.googleapis.com/danpalon/Danpalon%20Architectural%20Catalogue.pdf"/> <test url="http://ckannet-storage.commondatastorage.googleapis.com/2014-07-06T23:24:20.852Z/vol-1-no-2-paper-2-owusu-dankwa-prosper.pdf"/> <!-- There is an interesting question about whether we should append &strip=1 to all cache URLs. This causes them to load without images and styles, which is more secure but can look worse. Without &strip=1, the images and styles from the cached pages still load from the original, typically unencrypted, page. With &strip=1, the cached page will be text-only and will come exclusively from Google's HTTPS server. --> <rule from="^http://(www\.)?gstatic\.com/" to="https://www.gstatic.com/"/> <test url="http://www.gstatic.com/"/> <rule from="^http://(csi|encrypted-tbn\d|fonts|g0|maps|[\w-]+\.metric|ssl|t\d)\.gstatic\.com/" to="https://$1.gstatic.com/"/> <test url="http://csi.gstatic.com/"/> <test url="http://encrypted-tbn1.gstatic.com/"/> <test url="http://encrypted-tbn2.gstatic.com/"/> <test url="http://encrypted-tbn3.gstatic.com/"/> <test url="http://fonts.gstatic.com/"/> <test url="http://g0.gstatic.com/"/> <test url="http://maps.gstatic.com/"/> <test url="http://test1-ds.metric.gstatic.com/"/> <test url="http://test2-ds.metric.gstatic.com/"/> <test url="http://test3-ds.metric.gstatic.com/"/> <test url="http://ssl.gstatic.com/"/> <test url="http://t1.gstatic.com/"/> <test url="http://t2.gstatic.com/"/> <test url="http://t3.gstatic.com/"/> </ruleset>
The release branch contains the following rules that are enabled by default:
<!-- For other Google coverage, see GoogleServices.xml Nonfunctional domains: - hosted.gmodules.com * - img0.gmodules.com * - p.gmodules.com * * 404; mismatched, CN: *.googleusercontent.com Problematic domains: - gmodules.com (503, CN: www.google.com) - www.gmodules.com (503, CN: *.googleusercontent.com) - gstatic.com (404, valid cert) These two changed URL formats as well as domains, need to find an example of the old format in the wild: - api.recaptcha.net (→ www.google.com) - api-secure.recaptcha.net Partially covered domains: - (www.)gmodules.com (→ www.google.com) - (www.)google.com - chart.apis.google.com (→ chart.googleapis.com) Fully covered domains: - api.google.com - *.clients.google.com: - linkhelp - googleapis.com subdomains: - ajax - chart - *.commondatastorage - fonts - storage - *.storage - www - gstatic.com subdomains: - (www.) (^ → www) - csi - encrypted-tbn\d - fonts - g0 - *.metric - ssl - t\d --><ruleset name="Google APIs"> <target host="gmodules.com"/> <target host="www.gmodules.com"/> <!-- need this exclusion otherwise the test checker will use the hosts as test urls --> <exclusion pattern="^http://(www\.)?gmodules\.com/$"/> <target host="ajax.googleapis.com"/> <!-- The implicit test URL at the root of this domain generates a 404. Add an exclusion so the fetcher is happy. --> <exclusion pattern="^http://ajax\.googleapis\.com/$"/> <target host="chart.googleapis.com"/> <!-- The implicit test URL at the root of this domain generates a 404. Add an exclusion so the fetcher is happy. --> <exclusion pattern="^http://chart\.googleapis\.com/$"/> <target host="ct.googleapis.com"/> <target host="fonts.googleapis.com"/> <target host="imasdk.googleapis.com"/> <target host="maps.googleapis.com"/> <target host="www.googleapis.com"/> <target host="commondatastorage.googleapis.com"/> <target host="*.commondatastorage.googleapis.com"/> <target host="*.storage.googleapis.com"/> <target host="storage.googleapis.com"/> <target host="gstatic.com"/> <target host="*.gstatic.com"/> <securecookie host="^maps\.gstatic\.com$" name=".+"/> <!-- Captive portal detection redirects to this URL, and many captive portals break TLS, so exempt this redirect URL. See GitHub bug #368 --> <exclusion pattern="^http://www\.gstatic\.com/generate_204"/> <test url="http://www.gstatic.com/generate_204"/> <!-- Breaks digitalattackmap.com, cf. https://trac.torproject.org/projects/tor/ticket/15154 --> <exclusion pattern="^http://www\.gstatic\.com/ddos-viz/attacks\.json"/> <test url="http://www.gstatic.com/ddos-viz/attacks.json"/> <!-- Causes CORS issues on http://www.codeskulptor.org/ (try saving current file). See https://github.com/EFForg/https-everywhere/issues/1828 --> <exclusion pattern="^http://codeskulptor-user\d+\.commondatastorage\.googleapis\.com/"/> <test url="http://codeskulptor-user44.commondatastorage.googleapis.com/user44_0LxgCGWCjo_0.py"/> <test url="http://codeskulptor-user301.commondatastorage.googleapis.com/user301_nVlSk7alrk_0.py"/> <rule from="^http://(?:www\.)?gmodules\.com/ig/images/" to="https://www.google.com/ig/images/"/> <test url="http://gmodules.com/ig/images/"/> <test url="http://www.gmodules.com/ig/images/"/> <rule from="^http://(ajax|chart|ct|fonts|imasdk|maps|www)\.googleapis\.com/" to="https://$1.googleapis.com/"/> <test url="http://ajax.googleapis.com/ajax/libs/angular_material/0.8.2/angular-material.min.js"/> <test url="http://ct.googleapis.com/aviator/ct/v1/get-entries?start=0&end=1"/> <test url="http://chart.googleapis.com/chart?cht=p3&chs=250x100&chd=t:60,40&chl=Hello|World"/> <test url="http://fonts.googleapis.com/css?family=Tangerine"/> <test url="http://maps.googleapis.com/maps/ms?hl=da&ie=UTF8&msa=0&msid=213981917930555964408.00044f8886ceeef1c1b88&source=embed&ll=55.432276,9.439402&spn=0.017045,0.043774&z=14"/> <rule from="^http://([\w-]+\.)?(commondata)?storage\.googleapis\.com/" to="https://$1$2storage.googleapis.com/"/> <test url="http://chromedriver.storage.googleapis.com/"/> <test url="http://fiber.storage.googleapis.com/channels/guide/kansascity.pdf"/> <test url="http://patentimages.storage.googleapis.com/"/> <test url="http://bookmarc-binders.commondatastorage.googleapis.com/allegion/Allegion%202014%20Residential%20Product%20Catalogue%20Regent%20Series%20Knobs%20Levers_0114.pdf"/> <test url="http://bookmarc-binders.commondatastorage.googleapis.com/danpalon/Danpalon%20Architectural%20Catalogue.pdf"/> <test url="http://ckannet-storage.commondatastorage.googleapis.com/2014-07-06T23:24:20.852Z/vol-1-no-2-paper-2-owusu-dankwa-prosper.pdf"/> <!-- There is an interesting question about whether we should append &strip=1 to all cache URLs. This causes them to load without images and styles, which is more secure but can look worse. Without &strip=1, the images and styles from the cached pages still load from the original, typically unencrypted, page. With &strip=1, the cached page will be text-only and will come exclusively from Google's HTTPS server. --> <rule from="^http://(www\.)?gstatic\.com/" to="https://www.gstatic.com/"/> <test url="http://www.gstatic.com/"/> <rule from="^http://(csi|encrypted-tbn\d|fonts|g0|maps|[\w-]+\.metric|ssl|t\d)\.gstatic\.com/" to="https://$1.gstatic.com/"/> <test url="http://csi.gstatic.com/"/> <test url="http://encrypted-tbn1.gstatic.com/"/> <test url="http://encrypted-tbn2.gstatic.com/"/> <test url="http://encrypted-tbn3.gstatic.com/"/> <test url="http://fonts.gstatic.com/"/> <test url="http://g0.gstatic.com/"/> <test url="http://maps.gstatic.com/"/> <test url="http://test1-ds.metric.gstatic.com/"/> <test url="http://test2-ds.metric.gstatic.com/"/> <test url="http://test3-ds.metric.gstatic.com/"/> <test url="http://ssl.gstatic.com/"/> <test url="http://t1.gstatic.com/"/> <test url="http://t2.gstatic.com/"/> <test url="http://t3.gstatic.com/"/> </ruleset>
The HTTPS Everywhere developers welcome corrections and updates to rules. Please see our developer information and documentation of the ruleset format. If filing a bug in the Tor Project's Trac bug tracker, you can use the shared username and password cypherpunks / writecode; please ensure that the bug is marked as applying to HTTPS Everywhere.
Information current as of:
current release 6a955e7 2018-11-01 05:00:06 -0700;
next release e7f9f87 2018-12-14 12:11:54 -0700;
current release 6a955e7 2018-11-01 05:00:06 -0700;
next release e7f9f87 2018-12-14 12:11:54 -0700;