Your message dated Fri, 28 Nov 2014 12:02:40 +0200
with message-id <20141128100240.ga31...@ktnx.net>
and subject line [ftpmas...@ftp-master.debian.org: 
https-everywhere_4.0.2-2_amd64.changes ACCEPTED into unstable]
has caused the Debian Bug report #771286,
regarding privacy breach: loads FAQ from the network after first installation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
771286: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xul-ext-https-everywhere
Version: 4.0.2-1
Severity: important
Tags: patch upstream

The first time the browser is started after installing 
xul-ext-https-everywhere, a notification bar is shown, informing of 
the fact that some https enforcement is active and pointing to the 
toolbar button for options.

What is bad about that is that when the notification is dismissed, the 
browser is forced to open https://www.eff.org/https-everywhere/faq

This is a privacy breach, as it informs the authors (and user's ISP) 
that there is a new installation of https-everywhere.

The attached patch adds a dedicated button to the notification bar. 
Pressing that button loads the FAQ page as before, and just dismissing 
the notification bar does nothing. In other words, it makes the user 
*request* the FAQ before loading it.

-- dam

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xul-ext-https-everywhere depends on:
ii  icedove    31.2.0-1
ii  iceweasel  33.1-1

xul-ext-https-everywhere recommends no packages.

xul-ext-https-everywhere suggests no packages.

-- no debconf information
Description: load FAQ after install only if requested
 The first time the browser is started after installing 
 xul-ext-https-everywhere, a notification bar is shown, informing of 
 the fact that some https enforcement is active and pointing to the 
 toolbar button for options.
 .
 What is bad about that is that when the notification is dismissed, the 
 browser is forced to open https://www.eff.org/https-everywhere/faq
 .
 This is a privacy breach, as it informs the authors (and user's ISP) 
 that there is a new installation of https-everywhere.
 .
 The attached patch adds a dedicated button to the notification bar. 
 Pressing that button loads the FAQ page as before, and just dismissing 
 the notification bar does nothing. In other words, it makes the user 
 *request* the FAQ before loading it.
Author: Damyan Ivanov <d...@debian.org>

--- a/src/chrome/content/toolbar_button.js
+++ b/src/chrome/content/toolbar_button.js
@@ -122,11 +122,15 @@ httpsEverywhere.toolbarButton = {
         'https-everywhere', 
         'chrome://https-everywhere/skin/https-everywhere-24.png', 
         nBox.PRIORITY_WARNING_MEDIUM,
-	[],
-	function(action) {
-	  // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events
-	  gBrowser.selectedTab = gBrowser.addTab(faqURL);
-	}
+        [
+            {   accessKey: 'F',
+                callback: function(ntf, btn) {
+                    // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events
+                    gBrowser.selectedTab = gBrowser.addTab(faqURL);
+                },
+                label: 'FAQ…',
+            }
+        ]
       );
     }
     gBrowser.removeEventListener("DOMContentLoaded", tb.handleShowHint, true);

--- End Message ---
--- Begin Message ---
The following upload fixes the bug but lacked the 'Closes: #nnn" line.

----- Forwarded message from Debian FTP Masters 
<ftpmas...@ftp-master.debian.org> -----

From: Debian FTP Masters <ftpmas...@ftp-master.debian.org>
Subject: https-everywhere_4.0.2-2_amd64.changes ACCEPTED into unstable
Date: Fri, 28 Nov 2014 09:49:06 +0000

Accepted:

Description:
 xul-ext-https-everywhere - extension to force the use of HTTPS on many sites
Changes:
 https-everywhere (4.0.2-2) unstable; urgency=medium
 .
   * Team upload
 .
   * Patch src/chrome/content/toolbar_button.js to make loading of the FAQ
     require user action.
     When run for the first time, the addon shows a notification bar.
     Closing that bar loads the HTTPS-everywhere FAQ from the authors' site.
     This is a privacy breach. This patch requires pressing a 'FAQ…' button
     before loading the remote page.

----- End forwarded message -----

Attachment: signature.asc
Description: Digital signature


--- End Message ---
_______________________________________________
Pkg-mozext-maintainers mailing list
Pkg-mozext-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers

Reply via email to