Package: xul-ext-https-everywhere Version: 4.0.2-1 Severity: important Tags: patch upstream
The first time the browser is started after installing xul-ext-https-everywhere, a notification bar is shown, informing of the fact that some https enforcement is active and pointing to the toolbar button for options. What is bad about that is that when the notification is dismissed, the browser is forced to open https://www.eff.org/https-everywhere/faq This is a privacy breach, as it informs the authors (and user's ISP) that there is a new installation of https-everywhere. The attached patch adds a dedicated button to the notification bar. Pressing that button loads the FAQ page as before, and just dismissing the notification bar does nothing. In other words, it makes the user *request* the FAQ before loading it. -- dam -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages xul-ext-https-everywhere depends on: ii icedove 31.2.0-1 ii iceweasel 33.1-1 xul-ext-https-everywhere recommends no packages. xul-ext-https-everywhere suggests no packages. -- no debconf information
Description: load FAQ after install only if requested The first time the browser is started after installing xul-ext-https-everywhere, a notification bar is shown, informing of the fact that some https enforcement is active and pointing to the toolbar button for options. . What is bad about that is that when the notification is dismissed, the browser is forced to open https://www.eff.org/https-everywhere/faq . This is a privacy breach, as it informs the authors (and user's ISP) that there is a new installation of https-everywhere. . The attached patch adds a dedicated button to the notification bar. Pressing that button loads the FAQ page as before, and just dismissing the notification bar does nothing. In other words, it makes the user *request* the FAQ before loading it. Author: Damyan Ivanov <d...@debian.org> --- a/src/chrome/content/toolbar_button.js +++ b/src/chrome/content/toolbar_button.js @@ -122,11 +122,15 @@ httpsEverywhere.toolbarButton = { 'https-everywhere', 'chrome://https-everywhere/skin/https-everywhere-24.png', nBox.PRIORITY_WARNING_MEDIUM, - [], - function(action) { - // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events - gBrowser.selectedTab = gBrowser.addTab(faqURL); - } + [ + { accessKey: 'F', + callback: function(ntf, btn) { + // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events + gBrowser.selectedTab = gBrowser.addTab(faqURL); + }, + label: 'FAQ…', + } + ] ); } gBrowser.removeEventListener("DOMContentLoaded", tb.handleShowHint, true);
