Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package https-everywhere https-everywhere (4.0.2-3) unstable; urgency=medium * forgotten bug closer in previous changelog entry * add Bug-Debian to no-unconditional-FAQ-load.patch description -- Damyan Ivanov <d...@debian.org> Fri, 28 Nov 2014 09:59:35 +0000 https-everywhere (4.0.2-2) unstable; urgency=medium * Team upload * Patch src/chrome/content/toolbar_button.js to make loading of the FAQ require user action. When run for the first time, the addon shows a notification bar. Closing that bar loads the HTTPS-everywhere FAQ from the authors' site. This is a privacy breach. This patch requires pressing a 'FAQ…' button before loading the remote page. Closes: #771286 -- Damyan Ivanov <d...@debian.org> Fri, 28 Nov 2014 09:31:54 +0000 This is similar in spirit with the unblock for greasemonkey/2.2-2, tracked in #771242. The changes add a patch requires that the user presses a button in order to load the remote page, and just cdismissing the notification does nothing. Patch attached, as well as a debdiff against 4.0.2-1 in Jessie. unblock https-everywhere/4.0.2-3 Thanks, dam -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Description: load FAQ after install only if requested The first time the browser is started after installing xul-ext-https-everywhere, a notification bar is shown, informing of the fact that some https enforcement is active and pointing to the toolbar button for options. . What is bad about that is that when the notification is dismissed, the browser is forced to open https://www.eff.org/https-everywhere/faq . This is a privacy breach, as it informs the authors (and user's ISP) that there is a new installation of https-everywhere. . The attached patch adds a dedicated button to the notification bar. Pressing that button loads the FAQ page as before, and just dismissing the notification bar does nothing. In other words, it makes the user *request* the FAQ before loading it. Author: Damyan Ivanov <d...@debian.org> Forwarded: https://github.com/EFForg/https-everywhere/issues/769 Bug-Debian: https://bugs.debian.org/771286 --- a/src/chrome/content/toolbar_button.js +++ b/src/chrome/content/toolbar_button.js @@ -122,11 +122,15 @@ httpsEverywhere.toolbarButton = { 'https-everywhere', 'chrome://https-everywhere/skin/https-everywhere-24.png', nBox.PRIORITY_WARNING_MEDIUM, - [], - function(action) { - // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events - gBrowser.selectedTab = gBrowser.addTab(faqURL); - } + [ + { accessKey: 'F', + callback: function(ntf, btn) { + // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events + gBrowser.selectedTab = gBrowser.addTab(faqURL); + }, + label: 'FAQ…', + } + ] ); } gBrowser.removeEventListener("DOMContentLoaded", tb.handleShowHint, true);
diff -Nru https-everywhere-4.0.2/debian/changelog https-everywhere-4.0.2/debian/changelog --- https-everywhere-4.0.2/debian/changelog 2014-10-17 01:29:13.000000000 +0300 +++ https-everywhere-4.0.2/debian/changelog 2014-11-28 12:00:13.000000000 +0200 @@ -1,3 +1,24 @@ +https-everywhere (4.0.2-3) unstable; urgency=medium + + * forgotten bug closer in previous changelog entry + * add Bug-Debian to no-unconditional-FAQ-load.patch description + + -- Damyan Ivanov <d...@debian.org> Fri, 28 Nov 2014 09:59:35 +0000 + +https-everywhere (4.0.2-2) unstable; urgency=medium + + * Team upload + + * Patch src/chrome/content/toolbar_button.js to make loading of the FAQ + require user action. + When run for the first time, the addon shows a notification bar. + Closing that bar loads the HTTPS-everywhere FAQ from the authors' site. + This is a privacy breach. This patch requires pressing a 'FAQ…' button + before loading the remote page. + Closes: #771286 + + -- Damyan Ivanov <d...@debian.org> Fri, 28 Nov 2014 09:31:54 +0000 + https-everywhere (4.0.2-1) unstable; urgency=low * New upstream release. diff -Nru https-everywhere-4.0.2/debian/patches/no-unconditional-FAQ-load.patch https-everywhere-4.0.2/debian/patches/no-unconditional-FAQ-load.patch --- https-everywhere-4.0.2/debian/patches/no-unconditional-FAQ-load.patch 1970-01-01 02:00:00.000000000 +0200 +++ https-everywhere-4.0.2/debian/patches/no-unconditional-FAQ-load.patch 2014-11-28 11:58:21.000000000 +0200 @@ -0,0 +1,43 @@ +Description: load FAQ after install only if requested + The first time the browser is started after installing + xul-ext-https-everywhere, a notification bar is shown, informing of + the fact that some https enforcement is active and pointing to the + toolbar button for options. + . + What is bad about that is that when the notification is dismissed, the + browser is forced to open https://www.eff.org/https-everywhere/faq + . + This is a privacy breach, as it informs the authors (and user's ISP) + that there is a new installation of https-everywhere. + . + The attached patch adds a dedicated button to the notification bar. + Pressing that button loads the FAQ page as before, and just dismissing + the notification bar does nothing. In other words, it makes the user + *request* the FAQ before loading it. +Author: Damyan Ivanov <d...@debian.org> +Forwarded: https://github.com/EFForg/https-everywhere/issues/769 +Bug-Debian: https://bugs.debian.org/771286 + +--- a/src/chrome/content/toolbar_button.js ++++ b/src/chrome/content/toolbar_button.js +@@ -122,11 +122,15 @@ httpsEverywhere.toolbarButton = { + 'https-everywhere', + 'chrome://https-everywhere/skin/https-everywhere-24.png', + nBox.PRIORITY_WARNING_MEDIUM, +- [], +- function(action) { +- // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events +- gBrowser.selectedTab = gBrowser.addTab(faqURL); +- } ++ [ ++ { accessKey: 'F', ++ callback: function(ntf, btn) { ++ // see https://developer.mozilla.org/en-US/docs/XUL/Method/appendNotification#Notification_box_events ++ gBrowser.selectedTab = gBrowser.addTab(faqURL); ++ }, ++ label: 'FAQ…', ++ } ++ ] + ); + } + gBrowser.removeEventListener("DOMContentLoaded", tb.handleShowHint, true); diff -Nru https-everywhere-4.0.2/debian/patches/series https-everywhere-4.0.2/debian/patches/series --- https-everywhere-4.0.2/debian/patches/series 2014-10-17 01:29:13.000000000 +0300 +++ https-everywhere-4.0.2/debian/patches/series 2014-11-28 10:17:31.000000000 +0200 @@ -3,3 +3,4 @@ use-newer-timestamp-date.patch make-clean.patch use-recorded-upstream-commit-id.patch +no-unconditional-FAQ-load.patch
_______________________________________________ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers