mirror of https://github.com/searxng/searxng.git
Merge pull request #97 from pointhi/https
Implementing https rewrite support
This commit is contained in:
commit
20400c40c3
|
@ -17,6 +17,7 @@ along with searx. If not, see < http://www.gnu.org/licenses/ >.
|
||||||
|
|
||||||
from os import environ
|
from os import environ
|
||||||
from os.path import realpath, dirname, join, abspath
|
from os.path import realpath, dirname, join, abspath
|
||||||
|
from searx.https_rewrite import load_https_rules
|
||||||
try:
|
try:
|
||||||
from yaml import load
|
from yaml import load
|
||||||
except:
|
except:
|
||||||
|
@ -34,7 +35,16 @@ if 'SEARX_SETTINGS_PATH' in environ:
|
||||||
else:
|
else:
|
||||||
settings_path = join(searx_dir, 'settings.yml')
|
settings_path = join(searx_dir, 'settings.yml')
|
||||||
|
|
||||||
|
if 'SEARX_HTTPS_REWRITE_PATH' in environ:
|
||||||
|
https_rewrite_path = environ['SEARX_HTTPS_REWRITE_PATH']
|
||||||
|
else:
|
||||||
|
https_rewrite_path = join(searx_dir, 'https_rules')
|
||||||
|
|
||||||
# load settings
|
# load settings
|
||||||
with open(settings_path) as settings_yaml:
|
with open(settings_path) as settings_yaml:
|
||||||
settings = load(settings_yaml)
|
settings = load(settings_yaml)
|
||||||
|
|
||||||
|
# load https rules only if https rewrite is enabled
|
||||||
|
if settings.get('server', {}).get('https_rewrite'):
|
||||||
|
# loade https rules
|
||||||
|
load_https_rules(https_rewrite_path)
|
||||||
|
|
|
@ -1,14 +1,141 @@
|
||||||
|
'''
|
||||||
|
searx is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU Affero General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
searx is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU Affero General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Affero General Public License
|
||||||
|
along with searx. If not, see < http://www.gnu.org/licenses/ >.
|
||||||
|
|
||||||
|
(C) 2013- by Adam Tauber, <asciimoo@gmail.com>
|
||||||
|
'''
|
||||||
|
|
||||||
import re
|
import re
|
||||||
|
from lxml import etree
|
||||||
|
from os import listdir
|
||||||
|
from os.path import isfile, join
|
||||||
|
|
||||||
|
|
||||||
# https://gitweb.torproject.org/\
|
# https://gitweb.torproject.org/\
|
||||||
# pde/https-everywhere.git/tree/4.0:/src/chrome/content/rules
|
# pde/https-everywhere.git/tree/4.0:/src/chrome/content/rules
|
||||||
|
|
||||||
# HTTPS rewrite rules
|
# HTTPS rewrite rules
|
||||||
https_rules = (
|
https_rules = []
|
||||||
# from
|
|
||||||
(re.compile(r'^http://(www\.|m\.|)?xkcd\.(?:com|org)/', re.I | re.U),
|
|
||||||
# to
|
# load single ruleset from a xml file
|
||||||
r'https://\1xkcd.com/'),
|
def load_single_https_ruleset(filepath):
|
||||||
(re.compile(r'^https?://(?:ssl)?imgs\.xkcd\.com/', re.I | re.U),
|
ruleset = ()
|
||||||
r'https://sslimgs.xkcd.com/'),
|
|
||||||
)
|
# init parser
|
||||||
|
parser = etree.XMLParser()
|
||||||
|
|
||||||
|
# load and parse xml-file
|
||||||
|
try:
|
||||||
|
tree = etree.parse(filepath, parser)
|
||||||
|
except:
|
||||||
|
# TODO, error message
|
||||||
|
return ()
|
||||||
|
|
||||||
|
# get root node
|
||||||
|
root = tree.getroot()
|
||||||
|
|
||||||
|
#print(etree.tostring(tree))
|
||||||
|
|
||||||
|
# check if root is a node with the name ruleset
|
||||||
|
# TODO improve parsing
|
||||||
|
if root.tag != 'ruleset':
|
||||||
|
return ()
|
||||||
|
|
||||||
|
# check if rule is deactivated by default
|
||||||
|
if root.attrib.get('default_off'):
|
||||||
|
return ()
|
||||||
|
|
||||||
|
# check if rule does only work for specific platforms
|
||||||
|
if root.attrib.get('platform'):
|
||||||
|
return ()
|
||||||
|
|
||||||
|
hosts = []
|
||||||
|
rules = []
|
||||||
|
exclusions = []
|
||||||
|
|
||||||
|
# parse childs from ruleset
|
||||||
|
for ruleset in root:
|
||||||
|
# this child define a target
|
||||||
|
if ruleset.tag == 'target':
|
||||||
|
# check if required tags available
|
||||||
|
if not ruleset.attrib.get('host'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
# convert host-rule to valid regex
|
||||||
|
host = ruleset.attrib.get('host').replace('.', '\.').replace('*', '.*')
|
||||||
|
|
||||||
|
# append to host list
|
||||||
|
hosts.append(host)
|
||||||
|
|
||||||
|
# this child define a rule
|
||||||
|
elif ruleset.tag == 'rule':
|
||||||
|
# check if required tags available
|
||||||
|
if not ruleset.attrib.get('from')\
|
||||||
|
or not ruleset.attrib.get('to'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
# TODO hack, which convert a javascript regex group into a valid python regex group
|
||||||
|
rule_from = ruleset.attrib.get('from').replace('$', '\\')
|
||||||
|
rule_to = ruleset.attrib.get('to').replace('$', '\\')
|
||||||
|
|
||||||
|
# TODO, not working yet because of the hack above, currently doing that in webapp.py
|
||||||
|
#rule_from_rgx = re.compile(rule_from, re.I)
|
||||||
|
|
||||||
|
# append rule
|
||||||
|
rules.append((rule_from, rule_to))
|
||||||
|
|
||||||
|
# this child define an exclusion
|
||||||
|
elif ruleset.tag == 'exclusion':
|
||||||
|
# check if required tags available
|
||||||
|
if not ruleset.attrib.get('pattern'):
|
||||||
|
continue
|
||||||
|
|
||||||
|
exclusion_rgx = re.compile(ruleset.attrib.get('pattern'))
|
||||||
|
|
||||||
|
# append exclusion
|
||||||
|
exclusions.append(exclusion_rgx)
|
||||||
|
|
||||||
|
# convert list of possible hosts to a simple regex
|
||||||
|
# TODO compress regex to improve performance
|
||||||
|
try:
|
||||||
|
target_hosts = re.compile('^(' + '|'.join(hosts) + ')', re.I | re.U)
|
||||||
|
except:
|
||||||
|
return ()
|
||||||
|
|
||||||
|
# return ruleset
|
||||||
|
return (target_hosts, rules, exclusions)
|
||||||
|
|
||||||
|
|
||||||
|
# load all https rewrite rules
|
||||||
|
def load_https_rules(rules_path):
|
||||||
|
# add / to path if not set yet
|
||||||
|
if rules_path[-1:] != '/':
|
||||||
|
rules_path += '/'
|
||||||
|
|
||||||
|
# search all xml files which are stored in the https rule directory
|
||||||
|
xml_files = [ join(rules_path,f) for f in listdir(rules_path) if isfile(join(rules_path,f)) and f[-4:] == '.xml' ]
|
||||||
|
|
||||||
|
# load xml-files
|
||||||
|
for ruleset_file in xml_files:
|
||||||
|
# calculate rewrite-rules
|
||||||
|
ruleset = load_single_https_ruleset(ruleset_file)
|
||||||
|
|
||||||
|
# skip if no ruleset returned
|
||||||
|
if not ruleset:
|
||||||
|
continue
|
||||||
|
|
||||||
|
# append ruleset
|
||||||
|
https_rules.append(ruleset)
|
||||||
|
|
||||||
|
print(' * {n} https-rules loaded'.format(n=len(https_rules)))
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
<!--
|
||||||
|
This directory contains web site rewriting rules for the
|
||||||
|
HTTPS Everywhere software, available from
|
||||||
|
https://www.eff.org/https-everywhere
|
||||||
|
|
||||||
|
These rules were contributed to the project by users and aim to
|
||||||
|
enable routine secure access to as many different web sites as
|
||||||
|
possible. They are automatically installed together with the
|
||||||
|
HTTPS Everywhere software. The presence of these rules does not
|
||||||
|
mean that an HTTPS Everywhere user accessed, or intended to
|
||||||
|
access, any particular web site.
|
||||||
|
|
||||||
|
For information about how to create additional HTTPS Everywhere
|
||||||
|
rewriting rules to add support for new sites, please see
|
||||||
|
|
||||||
|
https://www.eff.org/https-everywhere/rulesets
|
||||||
|
-->
|
|
@ -0,0 +1,56 @@
|
||||||
|
<!--
|
||||||
|
For other Microsoft coverage, see Microsoft.xml.
|
||||||
|
|
||||||
|
|
||||||
|
CDN buckets:
|
||||||
|
|
||||||
|
- a134.lm.akamai.net
|
||||||
|
|
||||||
|
- akam.bing.com
|
||||||
|
- *.mm.bing.net
|
||||||
|
|
||||||
|
|
||||||
|
Nonfunctional domains:
|
||||||
|
|
||||||
|
- m2.cn.bing.com
|
||||||
|
- origin.bj1.bing.com
|
||||||
|
- blogs.bing.com
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- bing.com subdomains:
|
||||||
|
|
||||||
|
- (www.)
|
||||||
|
- c.bing (tracking beacons)
|
||||||
|
- cn.bing
|
||||||
|
- h.bing
|
||||||
|
- ssl
|
||||||
|
- testfamilysafety.bing
|
||||||
|
- udc.bing
|
||||||
|
- (www.)bing
|
||||||
|
|
||||||
|
- *.mm.bing.net
|
||||||
|
- api.bing.com
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Bing">
|
||||||
|
|
||||||
|
<target host="bing.com" />
|
||||||
|
<target host="*.bing.com" />
|
||||||
|
<target host="*.mm.bing.net" />
|
||||||
|
|
||||||
|
|
||||||
|
<securecookie host=".*\.bing\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://((?:c|cn|h|ssl|testfamilysafety|udc|www)\.)?bing\.com/"
|
||||||
|
to="https://$1bing.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://([^/:@]*)\.mm\.bing\.net/"
|
||||||
|
to="https://$1.mm.bing.com/"/>
|
||||||
|
|
||||||
|
<rule from="^http://([^/:@]*)\.api\.bing\.net/"
|
||||||
|
to="https://$1.api.bing.com/"/>
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,69 @@
|
||||||
|
<!--
|
||||||
|
Nonfunctional domains:
|
||||||
|
|
||||||
|
- blog.dailymotion.com
|
||||||
|
- press.dailymotion.com (shows steaw.com, CN: www.steaw.com)
|
||||||
|
- proxy-46.dailymotion.com
|
||||||
|
- publicite.dailymotion.com
|
||||||
|
- publisher.dailymotion.com (reset)
|
||||||
|
- vid.ak.dmcdn.net (403, Akamai)
|
||||||
|
- vid2.ak.dmcdn.net (504, akamai)
|
||||||
|
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- ak2.static.dailymotion.com (mismatched, CN: *.dmcdn.net)
|
||||||
|
- support.dmcloud.net (mismatched, CN: *.zendesk.com)
|
||||||
|
|
||||||
|
|
||||||
|
Partially covered domains:
|
||||||
|
|
||||||
|
- (www.)dailymotion.com
|
||||||
|
|
||||||
|
- cdn/manifest/video/\w+.mnft 403s
|
||||||
|
- crossdomain.xml breaks videos
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Dailymotion (default off)" default_off="breaks some embedded videos">
|
||||||
|
|
||||||
|
<target host="dailymotion.com" />
|
||||||
|
<!--
|
||||||
|
* for cross-domain cookie.
|
||||||
|
-->
|
||||||
|
<target host="*.dailymotion.com" />
|
||||||
|
<!--
|
||||||
|
https://mail1.eff.org/pipermail/https-everywhere-rules/2012-July/001241.html
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://(?:www\.)?dailymotion\.com/(?:cdn/[\w-]+/video/|crossdomain\.xml$)" />
|
||||||
|
<target host="ak2.static.dailymotion.com" />
|
||||||
|
<target host="*.dmcdn.net" />
|
||||||
|
<target host="dmcloud.net" />
|
||||||
|
<target host="*.dmcloud.net" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Testing wrt embedded breakage.
|
||||||
|
|
||||||
|
securecookie host="^.*\.dailymotion\.com$" name=".+" /-->
|
||||||
|
<!--
|
||||||
|
Omniture tracking cookies:
|
||||||
|
-->
|
||||||
|
<securecookie host="^\.dailymotion\.com$" name="^s_\w+$" />
|
||||||
|
<securecookie host="^www\.dailymotion\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(erroracct\.|www\.)?dailymotion\.com/"
|
||||||
|
to="https://$1dailymotion.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(s\d|static(?:\d|s\d-ssl))\.dmcdn\.net/"
|
||||||
|
to="https://$1.dmcdn.net/" />
|
||||||
|
|
||||||
|
<rule from="^https?://ak2\.static\.dailymotion\.com/"
|
||||||
|
to="https://static1-ssl.dmcdn.net/" />
|
||||||
|
|
||||||
|
<rule from="^http://(s\.|www\.)?dmcloud\.net/"
|
||||||
|
to="https://$1dmcloud.net/" />
|
||||||
|
|
||||||
|
<rule from="^https?://support\.dmcloud\.net/"
|
||||||
|
to="https://dmcloud.zendesk.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,53 @@
|
||||||
|
<!--
|
||||||
|
For problematic rules, see Deviantart-mismatches.xml.
|
||||||
|
|
||||||
|
|
||||||
|
Other deviantArt rulesets:
|
||||||
|
|
||||||
|
- Sta.sh.xml
|
||||||
|
|
||||||
|
|
||||||
|
ToDo: Find edgecast URL for /(fc|th)\d+.
|
||||||
|
|
||||||
|
|
||||||
|
Mixed content:
|
||||||
|
|
||||||
|
- Images on *.....com from e.deviantart.net *
|
||||||
|
|
||||||
|
* Secured by us
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="DeviantArt (pending)" default_off="site operator says not ready yet">
|
||||||
|
|
||||||
|
<target host="deviantart.com" />
|
||||||
|
<target host="*.deviantart.com" />
|
||||||
|
<target host="deviantart.net" />
|
||||||
|
<target host="*.deviantart.net" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.deviantart\.com$" name="^userinfo$" /-->
|
||||||
|
|
||||||
|
<securecookie host="^\.deviantart\.com$" name=".*" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Redirects from com to net, but does so successfully by itself.
|
||||||
|
-->
|
||||||
|
<rule from="^http://([aei]|fc\d\d|s[ht]|th\d\d)\.deviantart\.(com|net)/"
|
||||||
|
to="https://$1.deviantart.$2/" />
|
||||||
|
|
||||||
|
<!-- This handles everything that isn't in the first rule.
|
||||||
|
Namely, usernames, backend, fc, th, and (www.).
|
||||||
|
These domains present a cert that is only
|
||||||
|
valid for .com.
|
||||||
|
Note that .net isn't used on DA, but.net does
|
||||||
|
redirect to .com, and we shouldn't break what would
|
||||||
|
otherwise work.
|
||||||
|
Mustn't rewrite from https here, as doing so
|
||||||
|
would conflict with the first rule.
|
||||||
|
-->
|
||||||
|
<rule from="^http://([^/:@\.]+\.)?deviantart\.(?:com|net)/"
|
||||||
|
to="https://$1deviantart.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,38 @@
|
||||||
|
<!--
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- www.dukgo.com (mismatched, CN: dukgo.com)
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- (www.)dukgo.com (www → ^)
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="DuckDuckGo">
|
||||||
|
<target host="duckduckgo.com" />
|
||||||
|
<target host="*.duckduckgo.com" />
|
||||||
|
<target host="ddg.gg" />
|
||||||
|
<target host="duck.co" />
|
||||||
|
<target host="i.duck.co" />
|
||||||
|
<target host="dukgo.com" />
|
||||||
|
<target host="www.dukgo.com" />
|
||||||
|
|
||||||
|
<exclusion pattern="^http://(help|meme)\.duckduckgo\.com/" />
|
||||||
|
|
||||||
|
<securecookie host="^duck\.co$" name=".*"/>
|
||||||
|
|
||||||
|
<rule from="^http://duckduckgo\.com/" to="https://duckduckgo.com/"/>
|
||||||
|
<rule from="^http://([^/:@\.]+)\.duckduckgo\.com/" to="https://$1.duckduckgo.com/"/>
|
||||||
|
<!-- TODO: What does ddg.gg/foo do? Runs query foo, redirects to homepage, or error? -->
|
||||||
|
<rule from="^http://ddg\.gg/$" to="https://duckduckgo.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://duck\.co/" to="https://duck.co/" />
|
||||||
|
|
||||||
|
<rule from="^http://i\.duck\.co/"
|
||||||
|
to="https://duckduckgo.com/"/>
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?dukgo\.com/"
|
||||||
|
to="https://dukgo.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,44 @@
|
||||||
|
<!--
|
||||||
|
For other Yahoo coverage, see Yahoo.xml.
|
||||||
|
|
||||||
|
|
||||||
|
These altnames don't exist:
|
||||||
|
|
||||||
|
- www.blog.flickr.net
|
||||||
|
- www.code.flickr.net
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Flickr">
|
||||||
|
|
||||||
|
<target host="flic.kr" />
|
||||||
|
<target host="*.flic.kr" />
|
||||||
|
<target host="flickr.com" />
|
||||||
|
<target host="*.flickr.com" />
|
||||||
|
<target host="*.flickr.net" />
|
||||||
|
<target host="*.staticflickr.com" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.flic\.kr$" name="^BX$" /-->
|
||||||
|
|
||||||
|
<securecookie host="^\.flic\.kr$" name=".+" />
|
||||||
|
<securecookie host=".*\.flickr\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://flic\.kr/"
|
||||||
|
to="https://flic.kr/" />
|
||||||
|
|
||||||
|
<rule from="^http://(api\.|www\.)?flickr\.com/"
|
||||||
|
to="https://$1flickr.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://s(ecure|tatic)\.flickr\.com/"
|
||||||
|
to="https://s$1.flickr.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(c2|farm\d+)\.static(\.)?flickr\.com/"
|
||||||
|
to="https://$1.static$2flickr.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(blog|code)\.flickr\.net/"
|
||||||
|
to="https://$1.flickr.net/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,11 @@
|
||||||
|
<!--
|
||||||
|
For other GitHub coverage, see Github.xml.
|
||||||
|
-->
|
||||||
|
<ruleset name="GitHub Pages">
|
||||||
|
|
||||||
|
<target host="*.github.io" />
|
||||||
|
|
||||||
|
<rule from="^http://([^/@:\.]+)\.github\.io/"
|
||||||
|
to="https://$1.github.io/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,94 @@
|
||||||
|
<!--
|
||||||
|
Other GitHub rulesets:
|
||||||
|
|
||||||
|
- Github-Pages.xml
|
||||||
|
- Guag.es.xml
|
||||||
|
- Speaker_Deck.com.xml
|
||||||
|
|
||||||
|
|
||||||
|
CDN buckets:
|
||||||
|
|
||||||
|
- github-images.s3.amazonaws.com
|
||||||
|
- github.global.ssl.fastly.net
|
||||||
|
- a248.e.akamai.net/assets.github.com/
|
||||||
|
- a248.e.akamai.net/camo.github.com/
|
||||||
|
- s3.amazonaws.com/github/ | d24z2fz21y4fag.cloudfront.net
|
||||||
|
- github.myshopify.com
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- github.com subdomains:
|
||||||
|
|
||||||
|
- (www.)
|
||||||
|
- assets\d+
|
||||||
|
- assets-cdn
|
||||||
|
- bounty
|
||||||
|
- cloud
|
||||||
|
- f.cloud
|
||||||
|
- codeload
|
||||||
|
- developer
|
||||||
|
- eclipse
|
||||||
|
- enterprise
|
||||||
|
- gist
|
||||||
|
- gist-assets
|
||||||
|
- help
|
||||||
|
- identicons
|
||||||
|
- jobs
|
||||||
|
- mac
|
||||||
|
- mobile
|
||||||
|
- nodeload
|
||||||
|
- octodex
|
||||||
|
- pages
|
||||||
|
- raw
|
||||||
|
- rg3
|
||||||
|
- shop
|
||||||
|
- status
|
||||||
|
- support
|
||||||
|
- training
|
||||||
|
- try
|
||||||
|
- wiki
|
||||||
|
- windows
|
||||||
|
|
||||||
|
- collector.githubapp.com
|
||||||
|
|
||||||
|
- githubusercontent.com
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="GitHub">
|
||||||
|
|
||||||
|
<target host="github.com" />
|
||||||
|
<target host="*.github.com" />
|
||||||
|
<target host="github.io" />
|
||||||
|
<target host="*.githubusercontent.com" />
|
||||||
|
<target host="collector.githubapp.com" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^github\.com$" name="^(_gh_sess|tz|user_session)$" /-->
|
||||||
|
<!--securecookie host="^\.github\.com$" name="^(dotcom_user|logged_in)$" /-->
|
||||||
|
<!--securecookie host="^enterprise\.github\.com$" name="^(_enterprise_web|request_method)$" /-->
|
||||||
|
<!--securecookie host="^gist\.github\.com$" name="^_gist_session$" /-->
|
||||||
|
<!--securecookie host="^help\.github\.com$" name="^_help_session$" /-->
|
||||||
|
<!--
|
||||||
|
Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^status\.github\.com$" name="^rack\.session$" /-->
|
||||||
|
|
||||||
|
<securecookie host="^(?:.*\.)?github\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://((?:assets\d+|assets-cdn|bounty|cloud|f\.cloud|codeload|developer|eclipse|enterprise|gist|gist-assets|help|identicons|jobs|mac|mobile|nodeload|octodex|pages|raw|rg3|shop|status|support|training|try|wiki|windows|www)\.)?github\.com/"
|
||||||
|
to="https://$1github.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://collector\.githubapp\.com/"
|
||||||
|
to="https://collector.githubapp.com/" />
|
||||||
|
|
||||||
|
<rule from="^https?://github\.io/"
|
||||||
|
to="https://pages.github.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://([^/@:\.]+)\.githubusercontent\.com/"
|
||||||
|
to="https://$1.githubusercontent.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,26 @@
|
||||||
|
<!--
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- (www.)apture.com (works, mismatched, CN: *.google.com)
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google (mismatches)" default_off="mismatches">
|
||||||
|
|
||||||
|
<!-- Akamai -->
|
||||||
|
<target host="js.admeld.com"/>
|
||||||
|
<target host="apture.com" />
|
||||||
|
<target host="www.apture.com" />
|
||||||
|
<target host="googleartproject.com"/>
|
||||||
|
<target host="www.googleartproject.com"/>
|
||||||
|
|
||||||
|
<rule from="^http://js\.admeld\.com/"
|
||||||
|
to="https://js.admeld.com/"/>
|
||||||
|
|
||||||
|
<rule from="^https?://(?:www\.)?apture\.com/"
|
||||||
|
to="https://apture.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?googleartproject\.com/"
|
||||||
|
to="https://www.googleartproject.com/"/>
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,14 @@
|
||||||
|
<!--
|
||||||
|
For other Google coverage, see GoogleServices.xml.
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google.org">
|
||||||
|
|
||||||
|
<target host="google.org" />
|
||||||
|
<target host="www.google.org" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?google\.org/"
|
||||||
|
to="https://$1google.org/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,143 @@
|
||||||
|
<!--
|
||||||
|
For other Google coverage, see GoogleServices.xml.
|
||||||
|
|
||||||
|
|
||||||
|
Nonfunctional domains:
|
||||||
|
|
||||||
|
- hosted.gmodules.com *
|
||||||
|
- img0.gmodules.com *
|
||||||
|
- p.gmodules.com *
|
||||||
|
|
||||||
|
* 404; mismatched, CN: *.googleusercontent.com
|
||||||
|
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- gmodules.com (503, CN: www.google.com)
|
||||||
|
- www.gmodules.com (503, CN: *.googleusercontent.com)
|
||||||
|
- gstatic.com (404, valid cert)
|
||||||
|
- api.recaptcha.net (works; mismatched, CN: google.com)
|
||||||
|
|
||||||
|
|
||||||
|
Partially covered domains:
|
||||||
|
|
||||||
|
- (www.)gmodules.com (→ www.google.com)
|
||||||
|
- (www.)google.com
|
||||||
|
- chart.apis.google.com (→ chart.googleapis.com)
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- api.google.com
|
||||||
|
|
||||||
|
- *.clients.google.com:
|
||||||
|
|
||||||
|
- linkhelp
|
||||||
|
|
||||||
|
- ssl.google-analytics.com
|
||||||
|
- www.google-analytics.com
|
||||||
|
|
||||||
|
- googleapis.com subdomains:
|
||||||
|
|
||||||
|
- ajax
|
||||||
|
- chart
|
||||||
|
- *.commondatastorage
|
||||||
|
- fonts
|
||||||
|
- *.storage
|
||||||
|
- www
|
||||||
|
|
||||||
|
- gstatic.com subdomains:
|
||||||
|
|
||||||
|
- (www.) (^ → www)
|
||||||
|
- csi
|
||||||
|
- encrypted-tbn\d
|
||||||
|
- g0
|
||||||
|
- *.metric
|
||||||
|
- ssl
|
||||||
|
- t\d
|
||||||
|
|
||||||
|
- api.recaptcha.net (→ www.google.com)
|
||||||
|
- api-secure.recaptcha.net
|
||||||
|
- gdata.youtube.com
|
||||||
|
|
||||||
|
|
||||||
|
ssl.google-analytics.com/ga.js sets __utm\w wildcard
|
||||||
|
cookies on whichever domain it is loaded from.
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google APIs">
|
||||||
|
|
||||||
|
<target host="gmodules.com" />
|
||||||
|
<target host="www.gmodules.com" />
|
||||||
|
<target host="google.com" />
|
||||||
|
<target host="apis.google.com" />
|
||||||
|
<target host="*.apis.google.com" />
|
||||||
|
<target host="*.clients.google.com" />
|
||||||
|
<target host="www.google.com" />
|
||||||
|
<target host="*.google-analytics.com" />
|
||||||
|
<target host="*.googleapis.com" />
|
||||||
|
<target host="gstatic.com" />
|
||||||
|
<target host="*.gstatic.com" />
|
||||||
|
<!-- Captive portal detection redirects to this URL, and many captive
|
||||||
|
portals break TLS, so exempt this redirect URL.
|
||||||
|
See GitHub bug #368
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://www\.gstatic\.com/generate_204" />
|
||||||
|
<target host="*.recaptcha.net" />
|
||||||
|
<target host="gdata.youtube.com" />
|
||||||
|
<exclusion pattern="^http://gdata\.youtube\.com/crossdomain\.xml" />
|
||||||
|
|
||||||
|
|
||||||
|
<securecookie host="^ssl\.google-analytics\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?gmodules\.com/ig/images/"
|
||||||
|
to="https://www.google.com/ig/images/" />
|
||||||
|
|
||||||
|
<!-- jsapi was causing problems on some sites that embed google maps:
|
||||||
|
https://trac.torproject.org/projects/tor/ticket/2335
|
||||||
|
Apparently now fixed; thanks, Google!
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/(afsonline/|chart|jsapi|recaptcha/|uds)"
|
||||||
|
to="https://www.google.com/$1" />
|
||||||
|
|
||||||
|
<rule from="^http://(api|[\w-]+\.client)s\.google\.com/"
|
||||||
|
to="https://$1s.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://chart\.apis\.google\.com/chart"
|
||||||
|
to="https://chart.googleapis.com/chart" />
|
||||||
|
|
||||||
|
<rule from="^http://(ssl|www)\.google-analytics\.com/"
|
||||||
|
to="https://$1.google-analytics.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(ajax|chart|fonts|www)\.googleapis\.com/"
|
||||||
|
to="https://$1.googleapis.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://([^@:\./]+\.)?(commondata)?storage\.googleapis\.com/"
|
||||||
|
to="https://$1$2storage.googleapis.com/" />
|
||||||
|
|
||||||
|
<!-- There is an interesting question about whether we should
|
||||||
|
append &strip=1 to all cache URLs. This causes them to load
|
||||||
|
without images and styles, which is more secure but can look
|
||||||
|
worse.
|
||||||
|
Without &strip=1, the images and styles from the cached
|
||||||
|
pages still load from the original, typically unencrypted, page.
|
||||||
|
With &strip=1, the cached page will be text-only and
|
||||||
|
will come exclusively from Google's HTTPS server.
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?gstatic\.com/"
|
||||||
|
to="https://www.gstatic.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(csi|encrypted-tbn\d|g0|[\w-]+\.metric|ssl|t\d)\.gstatic\.com/"
|
||||||
|
to="https://$1.gstatic.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://api\.recaptcha\.net/"
|
||||||
|
to="https://www.google.com/recaptcha/api/" />
|
||||||
|
|
||||||
|
<rule from="^http://api-secure\.recaptcha\.net/"
|
||||||
|
to="https://api-secure.recaptcha.net/" />
|
||||||
|
|
||||||
|
<rule from="^http://gdata\.youtube\.com/"
|
||||||
|
to="https://gdata.youtube.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,6 @@
|
||||||
|
<ruleset name="GoogleCanada">
|
||||||
|
<target host="google.ca" />
|
||||||
|
<target host="*.google.ca" />
|
||||||
|
<rule from="^http://([^/:@\.]+)\.google\.ca/finance" to="https://$1.google.ca/finance"/>
|
||||||
|
</ruleset>
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
<!--
|
||||||
|
For other Google coverage, see GoogleServices.xml.
|
||||||
|
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- www.google.bo *
|
||||||
|
- www.google.co *
|
||||||
|
- www.google.ec *
|
||||||
|
- www.google.in *
|
||||||
|
- www.google.kr *
|
||||||
|
- www.google.com.kz **
|
||||||
|
- www.google.com.lk *
|
||||||
|
- www.google.mx **
|
||||||
|
- www.google.sg *
|
||||||
|
- www.google.sl *
|
||||||
|
- www.google.ug *
|
||||||
|
- www.google.vn *
|
||||||
|
|
||||||
|
* 404; mismatched, CN: google.com
|
||||||
|
** Works; mismatched, CN: google.com
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google Images">
|
||||||
|
|
||||||
|
<target host="google.*" />
|
||||||
|
<target host="www.google.*" />
|
||||||
|
<target host="google.co.*" />
|
||||||
|
<target host="www.google.co.*" />
|
||||||
|
<target host="google.com" />
|
||||||
|
<target host="images.google.com" />
|
||||||
|
<target host="google.com.*" />
|
||||||
|
<target host="www.google.com.*" />
|
||||||
|
<!--
|
||||||
|
Only handle image-related paths in this ruleset:
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://(?:www\.)?google(?:\.com?)?\.\w{2,3}/(?!(?:advanced_image_search|imghp|.*tb(?:m=isch|s=sbi)))" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/"
|
||||||
|
to="https://www.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://images\.google\.com/"
|
||||||
|
to="https://images.google.com/" />
|
||||||
|
|
||||||
|
<!-- First handle problematic domains:
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.co/"
|
||||||
|
to="https://www.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:co\.)?(in|kr|ug)/"
|
||||||
|
to="https://www.google.co.$1/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:com\.)?(kz|lk)/"
|
||||||
|
to="https://www.google.$1/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:com\.)?(bo|ec|mx|sg|sl|vn)/"
|
||||||
|
to="https://www.google.com.$1/" />
|
||||||
|
|
||||||
|
<!-- And then the rest:
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.(com?\.)?(ae|ar|at|au|bg|bh|br|ca|ch|cl|co|cr|cu|de|eg|es|fi|fr|gh|gt|hr|id|ie|il|it|jo|jp|jm|ke|kw|lb|ly|my|na|ng|nl|no|nz|om|pa|pe|pk|pl|pt|py|qa|ro|ru|rw|sa|se|sv|th|tr|uk|uy|ve|za|zw)/"
|
||||||
|
to="https://www.google.$1$2/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,78 @@
|
||||||
|
<ruleset name="Search www.google.com">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Enabling this ruleset should cause searches to go to
|
||||||
|
https://www.google.com rather than https://encrypted.google.com. Note that
|
||||||
|
the filename is important; it must be before GoogleSearch.xml in a bash
|
||||||
|
expansion of src/chrome/content/rules/*.xml in order to take precedence.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<target host="*.google.com" />
|
||||||
|
<target host="google.com" />
|
||||||
|
<target host="www.google.com.*" />
|
||||||
|
<target host="google.com.*" />
|
||||||
|
<target host="www.google.co.*" />
|
||||||
|
<target host="google.co.*" />
|
||||||
|
<target host="www.google.*" />
|
||||||
|
<target host="google.*" />
|
||||||
|
<!-- beyond clients1 these do not currently exist in the ccTLDs,
|
||||||
|
but just in case... -->
|
||||||
|
<target host="clients1.google.com.*" />
|
||||||
|
<target host="clients2.google.com.*" />
|
||||||
|
<target host="clients3.google.com.*" />
|
||||||
|
<target host="clients4.google.com.*" />
|
||||||
|
<target host="clients5.google.com.*" />
|
||||||
|
<target host="clients6.google.com.*" />
|
||||||
|
<target host="clients1.google.co.*" />
|
||||||
|
<target host="clients2.google.co.*" />
|
||||||
|
<target host="clients3.google.co.*" />
|
||||||
|
<target host="clients4.google.co.*" />
|
||||||
|
<target host="clients5.google.co.*" />
|
||||||
|
<target host="clients6.google.co.*" />
|
||||||
|
<target host="clients1.google.*" />
|
||||||
|
<target host="clients2.google.*" />
|
||||||
|
<target host="clients3.google.*" />
|
||||||
|
<target host="clients4.google.*" />
|
||||||
|
<target host="clients5.google.*" />
|
||||||
|
<target host="clients6.google.*" />
|
||||||
|
|
||||||
|
<rule from="^http://www\.google\.com/$"
|
||||||
|
to="https://www.google.com/"/>
|
||||||
|
|
||||||
|
<!-- The most basic case. -->
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/search"
|
||||||
|
to="https://www.google.com/search"/>
|
||||||
|
|
||||||
|
<!-- A very annoying exception that we seem to need for the basic case -->
|
||||||
|
|
||||||
|
<exclusion pattern="^http://(?:www\.)?google\.com/search.*tbs=shop" />
|
||||||
|
<exclusion pattern="^http://clients[0-9]\.google\.com/.*client=products.*" />
|
||||||
|
<exclusion pattern="^http://suggestqueries\.google\.com/.*client=.*" />
|
||||||
|
|
||||||
|
<!-- https://trac.torproject.org/projects/tor/ticket/9713 -->
|
||||||
|
|
||||||
|
<exclusion pattern="^http://clients[0-9]\.google\.com/ocsp" />
|
||||||
|
|
||||||
|
<!-- This is necessary for image results links from web search results -->
|
||||||
|
|
||||||
|
<exclusion pattern="^http://(?:www\.)?google\.com/search.*tbm=isch.*" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/webhp"
|
||||||
|
to="https://www.google.com/webhp"/>
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/#"
|
||||||
|
to="https://www.google.com/#"/>
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/$"
|
||||||
|
to="https://www.google.com/"/>
|
||||||
|
|
||||||
|
<!-- Completion urls look like this:
|
||||||
|
|
||||||
|
http://clients2.google.co.jp/complete/search?hl=ja&client=hp&expIds=17259,24660,24729,24745&q=m&cp=1 HTTP/1.1\r\n
|
||||||
|
|
||||||
|
-->
|
||||||
|
<rule from="^http://clients[0-9]\.google\.com/complete/search"
|
||||||
|
to="https://clients1.google.com/complete/search"/>
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,67 @@
|
||||||
|
<!--
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- khms *
|
||||||
|
- khms[0-3] *
|
||||||
|
|
||||||
|
* $ 404s
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- google.com subdomains:
|
||||||
|
|
||||||
|
- khms
|
||||||
|
- khms[0-3]
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google Maps">
|
||||||
|
|
||||||
|
<target host="maps.google.*" />
|
||||||
|
<!--
|
||||||
|
https://trac.torproject.org/projects/tor/ticket/8627
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://maps\.google\.com/local_url" />
|
||||||
|
<exclusion pattern="^http://maps\.google\.gr/transitathens" />
|
||||||
|
<target host="maps.google.co.*" />
|
||||||
|
<target host="khms.google.com" />
|
||||||
|
<target host="khms0.google.com" />
|
||||||
|
<target host="khms1.google.com" />
|
||||||
|
<target host="khms2.google.com" />
|
||||||
|
<target host="khms3.google.com" />
|
||||||
|
<target host="maps-api-ssl.google.com" />
|
||||||
|
<target host="mw2.google.com" />
|
||||||
|
<target host="maps.google.com.*" />
|
||||||
|
<target host="maps.googleapis.com" />
|
||||||
|
<!--
|
||||||
|
https://mail1.eff.org/pipermail/https-everywhere-rules/2012-September/001317.html
|
||||||
|
-->
|
||||||
|
<!--exclusion pattern="^http://maps\.googleapis\.com/map(files/lib/map_1_20\.swf|sapi/publicapi\?file=flashapi)" /-->
|
||||||
|
<exclusion pattern="^http://maps\.googleapis\.com/map(?:files/lib/map_\d+_\d+\.swf|sapi/publicapi\?file=flashapi)" />
|
||||||
|
<target host="maps.gstatic.com" />
|
||||||
|
|
||||||
|
|
||||||
|
<!--securecookie host="^maps\.google\.(com?\.)?(au|ca|gh|ie|in|jm|ke|lk|my|n[agz]|pk|rw|sl|sg|ug|uk|za|zw)$" name=".+" /-->
|
||||||
|
<securecookie host="^maps\.google\.[\w.]{2,6}$" name=".+" />
|
||||||
|
<securecookie host="^maps\.g(?:oogle|oogleapis|static)\.com$" name=".+" />
|
||||||
|
<securecookie host="^maps-api-ssl\.google\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://maps\.google\.([^/]+)/"
|
||||||
|
to="https://maps.google.$1/" />
|
||||||
|
|
||||||
|
<!-- http://khms.../$ 404s:
|
||||||
|
-->
|
||||||
|
<rule from="^http://khms\d?\.google\.com/+\??$"
|
||||||
|
to="https://www.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(khms\d?|maps-api-ssl|mw2)\.google\.com/"
|
||||||
|
to="https://$1.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://maps\.g(oogleapis|static)\.com/"
|
||||||
|
to="https://maps.g$1.com/" />
|
||||||
|
|
||||||
|
<rule from="^https://maps\.googleapis\.com/map(?=files/lib/map_\d+_\d+\.swf|sapi/publicapi\?file=flashapi)"
|
||||||
|
to="http://maps.googleapis.com/map" downgrade="1" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,6 @@
|
||||||
|
<ruleset name="GoogleMelange">
|
||||||
|
<target host="www.google-melange.com" />
|
||||||
|
<target host="google-melange.com" />
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?google-melange\.com/" to="https://www.google-melange.com/" />
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,135 @@
|
||||||
|
<ruleset name="Google Search">
|
||||||
|
|
||||||
|
<target host="google.com" />
|
||||||
|
<target host="*.google.com" />
|
||||||
|
<target host="google.com.*" />
|
||||||
|
<target host="www.google.com.*" />
|
||||||
|
<target host="google.co.*" />
|
||||||
|
<target host="www.google.co.*" />
|
||||||
|
<target host="google.*" />
|
||||||
|
<target host="www.google.*" />
|
||||||
|
<!--
|
||||||
|
Beyond clients1 these do not currently
|
||||||
|
exist in the ccTLDs, but just in case...
|
||||||
|
-->
|
||||||
|
<target host="clients1.google.com.*" />
|
||||||
|
<target host="clients2.google.com.*" />
|
||||||
|
<target host="clients3.google.com.*" />
|
||||||
|
<target host="clients4.google.com.*" />
|
||||||
|
<target host="clients5.google.com.*" />
|
||||||
|
<target host="clients6.google.com.*" />
|
||||||
|
<target host="clients1.google.co.*" />
|
||||||
|
<target host="clients2.google.co.*" />
|
||||||
|
<target host="clients3.google.co.*" />
|
||||||
|
<target host="clients4.google.co.*" />
|
||||||
|
<target host="clients5.google.co.*" />
|
||||||
|
<target host="clients6.google.co.*" />
|
||||||
|
<target host="clients1.google.*" />
|
||||||
|
<target host="clients2.google.*" />
|
||||||
|
<target host="clients3.google.*" />
|
||||||
|
<target host="clients4.google.*" />
|
||||||
|
<target host="clients5.google.*" />
|
||||||
|
<target host="clients6.google.*" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Some Google pages can generate naive links back to the
|
||||||
|
unencrypted version of encrypted.google.com, which is
|
||||||
|
a 301 but theoretically vulnerable to SSL stripping.
|
||||||
|
-->
|
||||||
|
<rule from="^http://encrypted\.google\.com/"
|
||||||
|
to="https://encrypted.google.com/" />
|
||||||
|
|
||||||
|
<!-- The most basic case.
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/search"
|
||||||
|
to="https://encrypted.google.com/search" />
|
||||||
|
|
||||||
|
<!-- A very annoying exception that we
|
||||||
|
seem to need for the basic case
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://(?:www\.)?google\.com/search.*tbs=shop" />
|
||||||
|
<exclusion pattern="^http://clients\d\.google\.com/.*client=products.*" />
|
||||||
|
<exclusion pattern="^http://suggestqueries\.google\.com/.*client=.*" />
|
||||||
|
|
||||||
|
<!-- https://trac.torproject.org/projects/tor/ticket/9713
|
||||||
|
-->
|
||||||
|
|
||||||
|
<exclusion pattern="^http://clients[0-9]\.google\.com/ocsp" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- This is necessary for image results
|
||||||
|
links from web search results
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://(?:www\.)?google\.com/search.*tbm=isch.*" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/about"
|
||||||
|
to="https://www.google.com/about" />
|
||||||
|
|
||||||
|
<!-- There are two distinct cases for these firefox searches -->
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google(?:\.com?)?\.[a-z]{2}/firefox/?$"
|
||||||
|
to="https://encrypted.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google(?:\.com?)?\.[a-z]{2}/firefox"
|
||||||
|
to="https://encrypted.google.com/webhp" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/webhp"
|
||||||
|
to="https://encrypted.google.com/webhp" />
|
||||||
|
|
||||||
|
<rule from="^http://codesearch\.google\.com/"
|
||||||
|
to="https://codesearch.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/codesearch"
|
||||||
|
to="https://www.google.com/codesearch" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/#"
|
||||||
|
to="https://encrypted.google.com/#" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/$"
|
||||||
|
to="https://encrypted.google.com/" />
|
||||||
|
|
||||||
|
<!-- Google supports IPv6 search, including
|
||||||
|
HTTPS with a valid certificate! -->
|
||||||
|
<rule from="^http://ipv6\.google\.com/"
|
||||||
|
to="https://ipv6.google.com/" />
|
||||||
|
|
||||||
|
<!-- most google international sites look like
|
||||||
|
"google.fr", some look like "google.co.jp",
|
||||||
|
and some crazy ones like "google.com.au" -->
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?google(\.com?)?\.([a-z]{2})/(search\?|#)"
|
||||||
|
to="https://$1google$2.$3/$4" />
|
||||||
|
|
||||||
|
<!-- Language preference setting -->
|
||||||
|
<rule from="^http://(www\.)?google(\.com?)?\.([a-z]{2})/setprefs"
|
||||||
|
to="https://$1google$2.$3/setprefs" />
|
||||||
|
|
||||||
|
<!-- Completion urls look like this:
|
||||||
|
|
||||||
|
http://clients2.google.co.jp/complete/search?hl=ja&client=hp&expIds=17259,24660,24729,24745&q=m&cp=1 HTTP/1.1\r\n
|
||||||
|
|
||||||
|
-->
|
||||||
|
<rule from="^http://clients\d\.google\.com/complete/search"
|
||||||
|
to="https://clients1.google.com/complete/search" />
|
||||||
|
|
||||||
|
<rule from="^http://clients\d\.google(\.com?\.[a-z]{2})/complete/search"
|
||||||
|
to="https://clients1.google.$1/complete/search" />
|
||||||
|
|
||||||
|
<rule from="^http://clients\d\.google\.([a-z]{2})/complete/search"
|
||||||
|
to="https://clients1.google.$1/complete/search" />
|
||||||
|
|
||||||
|
<rule from="^http://suggestqueries\.google\.com/complete/search"
|
||||||
|
to="https://clients1.google.com/complete/search" />
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?google\.(com?\.)?([a-z]{2})/(?:webhp)?$"
|
||||||
|
to="https://$1google.$2$3/" />
|
||||||
|
|
||||||
|
<!-- If there are URL parameters, keep them. -->
|
||||||
|
<rule from="^http://(www\.)?google\.(com?\.)?([a-z]{2})/(?:webhp)?\?"
|
||||||
|
to="https://$1google.$2$3/webhp?" />
|
||||||
|
|
||||||
|
<!-- teapot -->
|
||||||
|
<rule from="^http://(www\.)?google(\.com?)?\.([a-z]{2})/teapot"
|
||||||
|
to="https://$1google$2.$3/teapot" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,345 @@
|
||||||
|
<!--
|
||||||
|
Other Google rulesets:
|
||||||
|
|
||||||
|
- 2mdn.net.xml
|
||||||
|
- Admeld.xml
|
||||||
|
- ChannelIntelligence.com.xml
|
||||||
|
- Doubleclick.net.xml
|
||||||
|
- FeedBurner.xml
|
||||||
|
- Google.org.xml
|
||||||
|
- GoogleAPIs.xml
|
||||||
|
- Google_App_Engine.xml
|
||||||
|
- GoogleImages.xml
|
||||||
|
- GoogleShopping.xml
|
||||||
|
- Ingress.xml
|
||||||
|
- Meebo.xml
|
||||||
|
- Orkut.xml
|
||||||
|
- Postini.xml
|
||||||
|
- WebM_Project.org.xml
|
||||||
|
|
||||||
|
|
||||||
|
Nonfunctional domains:
|
||||||
|
|
||||||
|
- feedproxy.google.com (404, valid cert)
|
||||||
|
- partnerpage.google.com *
|
||||||
|
- safebrowsing.clients.google.com (404, mismatched)
|
||||||
|
- (www.)googlesyndicatedsearch.com (404; mismatched, CN: google.com)
|
||||||
|
- buttons.googlesyndication.com *
|
||||||
|
|
||||||
|
* 404, valid cert
|
||||||
|
|
||||||
|
|
||||||
|
Nonfunctional google.com paths:
|
||||||
|
|
||||||
|
- analytics (redirects to http)
|
||||||
|
- imgres
|
||||||
|
- gadgets *
|
||||||
|
- hangouts (404)
|
||||||
|
- u/ (404)
|
||||||
|
|
||||||
|
* Redirects to http
|
||||||
|
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- www.goo.gl (404; mismatched, CN: *.google.com)
|
||||||
|
|
||||||
|
- google.com subdomains:
|
||||||
|
|
||||||
|
- books (googlebooks/, images/, & intl/ 404, but works when rewritten to www)
|
||||||
|
- cbks0 ****
|
||||||
|
- earth *
|
||||||
|
- gg ($ 404s)
|
||||||
|
- knoll *
|
||||||
|
- scholar **
|
||||||
|
- trends *
|
||||||
|
|
||||||
|
- news.google.cctld **
|
||||||
|
- scholar.google.cctld **
|
||||||
|
- *-opensocial.googleusercontent.com ***
|
||||||
|
|
||||||
|
**** $ 404s
|
||||||
|
* 404, valid cert
|
||||||
|
** Redirects to http, valid cert
|
||||||
|
*** Breaks followers widget - https://trac.torproject.org/projects/tor/ticket/7294
|
||||||
|
|
||||||
|
|
||||||
|
Partially covered domains:
|
||||||
|
|
||||||
|
- google.cctld subdomains:
|
||||||
|
|
||||||
|
- scholar (→ www)
|
||||||
|
|
||||||
|
- google.com subdomains:
|
||||||
|
|
||||||
|
- (www.)
|
||||||
|
- cbks0 ($ 404s)
|
||||||
|
- gg ($ 404s)
|
||||||
|
- news (→ www)
|
||||||
|
- scholar (→ www)
|
||||||
|
|
||||||
|
- *.googleusercontent.com (*-opensocial excluded)
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- lh[3-6].ggpht.com
|
||||||
|
- (www.)goo.gl (www → ^)
|
||||||
|
|
||||||
|
- google.com subdomains:
|
||||||
|
|
||||||
|
- accounts
|
||||||
|
- adwords
|
||||||
|
- apis
|
||||||
|
- appengine
|
||||||
|
- books (→ encrypted)
|
||||||
|
- calendar
|
||||||
|
- checkout
|
||||||
|
- chrome
|
||||||
|
- clients[12]
|
||||||
|
- code
|
||||||
|
- *.corp
|
||||||
|
- developers
|
||||||
|
- dl
|
||||||
|
- docs
|
||||||
|
- docs\d
|
||||||
|
- \d.docs
|
||||||
|
- drive
|
||||||
|
- earth (→ www)
|
||||||
|
- encrypted
|
||||||
|
- encrypted-tbn[123]
|
||||||
|
- feedburner
|
||||||
|
- fiber
|
||||||
|
- finance
|
||||||
|
- glass
|
||||||
|
- groups
|
||||||
|
- health
|
||||||
|
- helpouts
|
||||||
|
- history
|
||||||
|
- hostedtalkgadget
|
||||||
|
- id
|
||||||
|
- investor
|
||||||
|
- knol
|
||||||
|
- knoll (→ knol)
|
||||||
|
- lh\d
|
||||||
|
- mail
|
||||||
|
- chatenabled.mail
|
||||||
|
- pack
|
||||||
|
- picasaweb
|
||||||
|
- pki
|
||||||
|
- play
|
||||||
|
- plus
|
||||||
|
- plusone
|
||||||
|
- productforums
|
||||||
|
- profiles
|
||||||
|
- safebrowsing-cache
|
||||||
|
- cert-test.sandbox
|
||||||
|
- plus.sandbox
|
||||||
|
- sb-ssl
|
||||||
|
- script
|
||||||
|
- security
|
||||||
|
- services
|
||||||
|
- servicessites
|
||||||
|
- sites
|
||||||
|
- spreadsheets
|
||||||
|
- spreadsheets\d
|
||||||
|
- support
|
||||||
|
- talk
|
||||||
|
- talkgadget
|
||||||
|
- tbn2 (→ encrypted-tbn2)
|
||||||
|
- tools
|
||||||
|
- trends (→ www)
|
||||||
|
|
||||||
|
- partner.googleadservices.com
|
||||||
|
- (www.)googlecode.com
|
||||||
|
- *.googlecode.com (per-project subdomains)
|
||||||
|
- googlesource.com
|
||||||
|
- *.googlesource.com
|
||||||
|
- pagead2.googlesyndication.com
|
||||||
|
- tpc.googlesyndication.com
|
||||||
|
- mail-attachment.googleusercontent.com
|
||||||
|
- webcache.googleusercontent.com
|
||||||
|
|
||||||
|
|
||||||
|
XXX: Needs more testing
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google Services">
|
||||||
|
|
||||||
|
<target host="*.ggpht.com" />
|
||||||
|
<target host="gmail.com" />
|
||||||
|
<target host="www.gmail.com" />
|
||||||
|
<target host="goo.gl" />
|
||||||
|
<target host="www.goo.gl" />
|
||||||
|
<target host="google.*" />
|
||||||
|
<target host="accounts.google.*" />
|
||||||
|
<target host="adwords.google.*" />
|
||||||
|
<target host="finance.google.*" />
|
||||||
|
<target host="groups.google.*" />
|
||||||
|
<target host="it.google.*" />
|
||||||
|
<target host="news.google.*" />
|
||||||
|
<exclusion pattern="^http://(?:news\.)?google\.com/(?:archivesearch|newspapers)" />
|
||||||
|
<target host="picasaweb.google.*" />
|
||||||
|
<target host="scholar.google.*" />
|
||||||
|
<target host="www.google.*" />
|
||||||
|
<target host="*.google.ca" />
|
||||||
|
<target host="google.co.*" />
|
||||||
|
<target host="accounts.google.co.*" />
|
||||||
|
<target host="adwords.google.co.*" />
|
||||||
|
<target host="finance.google.co.*" />
|
||||||
|
<target host="groups.google.co.*" />
|
||||||
|
<target host="id.google.co.*" />
|
||||||
|
<target host="news.google.co.*" />
|
||||||
|
<target host="picasaweb.google.co.*" />
|
||||||
|
<target host="scholar.google.co.*" />
|
||||||
|
<target host="www.google.co.*" />
|
||||||
|
<target host="google.com" />
|
||||||
|
<target host="*.google.com" />
|
||||||
|
<exclusion pattern="^http://(?:www\.)?google\.com/analytics/*(?:/[^/]+)?(?:\?.*)?$" />
|
||||||
|
<!--exclusion pattern="^http://books\.google\.com/(?!books/(\w+\.js|css/|javascript/)|favicon\.ico|googlebooks/|images/|intl/)" /-->
|
||||||
|
<exclusion pattern="^http://cbks0\.google\.com/(?:$|\?)" />
|
||||||
|
<exclusion pattern="^http://gg\.google\.com/(?!csi(?:$|\?))" />
|
||||||
|
<target host="google.com.*" />
|
||||||
|
<target host="accounts.google.com.*" />
|
||||||
|
<target host="adwords.google.com.*" />
|
||||||
|
<target host="groups.google.com.*" />
|
||||||
|
<target host="id.google.com.*" />
|
||||||
|
<target host="news.google.com.*" />
|
||||||
|
<target host="picasaweb.google.com.*" />
|
||||||
|
<target host="scholar.google.com.*" />
|
||||||
|
<target host="www.google.com.*" />
|
||||||
|
<target host="partner.googleadservices.com" />
|
||||||
|
<target host="googlecode.com" />
|
||||||
|
<target host="*.googlecode.com" />
|
||||||
|
<target host="googlemail.com" />
|
||||||
|
<target host="www.googlemail.com" />
|
||||||
|
<target host="googlesource.com" />
|
||||||
|
<target host="*.googlesource.com" />
|
||||||
|
<target host="*.googlesyndication.com" />
|
||||||
|
<target host="www.googletagservices.com" />
|
||||||
|
<target host="googleusercontent.com" />
|
||||||
|
<target host="*.googleusercontent.com" />
|
||||||
|
<!--
|
||||||
|
Necessary for the Followers widget:
|
||||||
|
|
||||||
|
https://trac.torproject.org/projects/tor/ticket/7294
|
||||||
|
-->
|
||||||
|
<exclusion pattern="http://[^@:\./]+-opensocial\.googleusercontent\.com" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Can we secure any of these wildcard cookies safely?
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.google\.com$" name="^(hl|I4SUserLocale|NID|PREF|S)$" /-->
|
||||||
|
<!--securecookie host="^\.google\.[\w.]{2,6}$" name="^(hl|I4SUserLocale|NID|PREF|S|S_awfe)$" /-->
|
||||||
|
<securecookie host="^(?:accounts|adwords|\.code|login\.corp|developers|docs|\d\.docs|fiber|mail|picasaweb|plus|\.?productforums|support)\.google\.[\w.]{2,6}$" name=".+" />
|
||||||
|
<securecookie host="^www\.google\.com$" name="^GoogleAccountsLocale_session$" />
|
||||||
|
<securecookie host="^mail-attachment\.googleusercontent\.com$" name=".+" />
|
||||||
|
<securecookie host="^gmail\.com$" name=".+" />
|
||||||
|
<securecookie host="^www\.gmail\.com$" name=".+" />
|
||||||
|
<securecookie host="^googlemail\.com$" name=".+" />
|
||||||
|
<securecookie host="^www\.googlemail\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- - lh 3-6 exist
|
||||||
|
- All appear identical
|
||||||
|
- Identical to lh\d.googleusercontent.com
|
||||||
|
-->
|
||||||
|
<rule from="^http://lh(\d)\.ggpht\.com/"
|
||||||
|
to="https://lh$1.ggpht.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://lh(\d)\.google\.ca/"
|
||||||
|
to="https://lh$1.google.ca/" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?g(oogle)?mail\.com/"
|
||||||
|
to="https://$1g$2mail.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?goo\.gl/"
|
||||||
|
to="https://goo.gl/" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Redirects to http when rewritten to www:
|
||||||
|
-->
|
||||||
|
<rule from="^http://books\.google\.com/"
|
||||||
|
to="https://encrypted.google.com/" />
|
||||||
|
|
||||||
|
<!-- tisp$ 404s:
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.((?:com?\.)?\w{2,3})/tisp(?=$|\?)"
|
||||||
|
to="https://www.google.$1/tisp/" />
|
||||||
|
|
||||||
|
<!-- Paths that work on all in google.*
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.((?:com?\.)?\w{2,3})/(accounts|adplanner|ads|adsense|adwords|analytics|bookmarks|chrome|contacts|coop|cse|css|culturalinstitute|doodles|earth|favicon\.ico|finance|get|goodtoknow|googleblogs|grants|green|hostednews|images|intl|js|landing|logos|mapmaker|newproducts|news|nexus|patents|policies|prdhp|profiles|products|reader|s2|settings|shopping|support|tisp|tools|transparencyreport|trends|urchin|webmasters)(?=$|[?/])"
|
||||||
|
to="https://www.google.$1/$2" />
|
||||||
|
|
||||||
|
<!-- Paths that 404 on .ccltd, but work on .com:
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:com?\.)?\w{2,3}/(?=calendar|dictionary|doubleclick|help|ideas|pacman|postini|powermeter|url)"
|
||||||
|
to="https://www.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:com?\.)?\w{2,3}/custom"
|
||||||
|
to="https://www.google.com/cse" />
|
||||||
|
|
||||||
|
<!-- Paths that only exist/work on .com
|
||||||
|
-->
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/(\+|appsstatus|books|buzz|extern_js|glass|googlebooks|ig|insights|moderator|phone|safebrowsing|videotargetting|webfonts)(?=$|[?/])"
|
||||||
|
to="https://www.google.com/$1" />
|
||||||
|
|
||||||
|
<!-- Subdomains that work on all in google.*
|
||||||
|
-->
|
||||||
|
<rule from="^http://(accounts|adwords|finance|groups|id|picasaweb|)\.google\.((?:com?\.)?\w{2,3})/"
|
||||||
|
to="https://$1.google.$2/" />
|
||||||
|
|
||||||
|
<!-- Subdomains that only exist/work on .com
|
||||||
|
-->
|
||||||
|
<rule from="^http://(apis|appengine|books|calendar|cbks0|chat|checkout|chrome|clients[12]|code|[\w-]+\.corp|developers|dl|docs\d?|\d\.docs|drive|encrypted|encrypted-tbn[123]|feedburner|fiber|fonts|gg|glass||health|helpouts|history|(?:hosted)?talkgadget|investor|lh\d|(?:chatenabled\.)?mail|pack|pki|play|plus(?:\.sandbox)?|plusone|productforums|profiles|safebrowsing-cache|cert-test\.sandbox|sb-ssl|script|security|services|servicessites|sites|spreadsheets\d?|support|talk|tools)\.google\.com/"
|
||||||
|
to="https://$1.google.com/" />
|
||||||
|
|
||||||
|
<exclusion pattern="^http://clients[0-9]\.google\.com/ocsp"/>
|
||||||
|
|
||||||
|
<rule from="^http://earth\.google\.com/"
|
||||||
|
to="https://www.google.com/earth/" />
|
||||||
|
|
||||||
|
<rule from="^http://scholar\.google\.((?:com?\.)?\w{2,3})/intl/"
|
||||||
|
to="https://www.google.$1/intl/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:encrypted-)?tbn2\.google\.com/"
|
||||||
|
to="https://encrypted-tbn2.google.com/" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://knoll?\.google\.com/"
|
||||||
|
to="https://knol.google.com/" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://news\.google\.(?:com?\.)?\w{2,3}/(?:$|news|newshp)"
|
||||||
|
to="https://www.google.com/news" />
|
||||||
|
|
||||||
|
<rule from="^http://trends\.google\.com/"
|
||||||
|
to="https://www.google.com/trends" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://([^/:@\.]+\.)?googlecode\.com/"
|
||||||
|
to="https://$1googlecode.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://([^\./]\.)?googlesource\.com/"
|
||||||
|
to="https://$1googlesource.com/" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://partner\.googleadservices\.com/"
|
||||||
|
to="https://partner.googleadservices.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(pagead2|tpc)\.googlesyndication\.com/"
|
||||||
|
to="https://$1.googlesyndication.com/" />
|
||||||
|
|
||||||
|
<!-- !www doesn't exist.
|
||||||
|
-->
|
||||||
|
<rule from="^http://www\.googletagservices\.com/tag/js/"
|
||||||
|
to="https://www.googletagservices.com/tag/js/" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://([^@:\./]+)\.googleusercontent\.com/"
|
||||||
|
to="https://$1.googleusercontent.com/" />
|
||||||
|
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,28 @@
|
||||||
|
<!--
|
||||||
|
For other Google coverage, see GoogleServices.xml.
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google Shopping">
|
||||||
|
|
||||||
|
<target host="google.*" />
|
||||||
|
<target host="www.google.*" />
|
||||||
|
<target host="google.co.*" />
|
||||||
|
<target host="www.google.co.*" />
|
||||||
|
<target host="*.google.com" />
|
||||||
|
<target host="google.com.*" />
|
||||||
|
<target host="www.google.com.*" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://encrypted\.google\.com/(prdhp|shopping)"
|
||||||
|
to="https://www.google.com/$1" />
|
||||||
|
|
||||||
|
<rule from="^http://shopping\.google\.com/"
|
||||||
|
to="https://shopping.google.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:encrypted|www)\.google\.com/(.*tbm=shop)"
|
||||||
|
to="https://www.google.com/$1" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?google\.((?:com?\.)?(?:ae|ar|at|au|bg|bh|bo|br|ca|ch|cl|cr|co|cu|de|ec|eg|es|fi|fr|gh|gt|hr|id|ie|il|in|it|jm|jo|jp|ke|kr|kw|kz|lb|lk|ly|mx|my|na|ng|nl|no|nz|om|pa|pe|pk|pl|pt|py|qa|ro|ru|rw|sa|sg|sl|se|sv|th|tr|ug|uk|uy|ve|vn|za|zw))/(?=prdhp|shopping)"
|
||||||
|
to="https://www.google.com/$1" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,7 @@
|
||||||
|
<ruleset name="GoogleSorry">
|
||||||
|
<target host="sorry.google.com" />
|
||||||
|
<target host="www.google.com" />
|
||||||
|
<target host="google.com" />
|
||||||
|
|
||||||
|
<rule from="^http://((sorry|www)\.)?google\.com/sorry/" to="https://sorry.google.com/sorry/" />
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,8 @@
|
||||||
|
<ruleset name="Google Translate (broken)" default_off="redirect loops">
|
||||||
|
<target host="translate.googleapis.com" />
|
||||||
|
<target host="translate.google.com" />
|
||||||
|
|
||||||
|
<rule from="^http://translate\.googleapis\.com/" to="https://translate.googleapis.com/"/>
|
||||||
|
<rule from="^http://translate\.google\.com/"
|
||||||
|
to="https://translate.google.com/" />
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,83 @@
|
||||||
|
<ruleset name="Google Videos">
|
||||||
|
<target host="*.google.com" />
|
||||||
|
<target host="google.com" />
|
||||||
|
<target host="www.google.com.*" />
|
||||||
|
<target host="google.com.*" />
|
||||||
|
<target host="www.google.co.*" />
|
||||||
|
<target host="google.co.*" />
|
||||||
|
<target host="www.google.*" />
|
||||||
|
<target host="google.*" />
|
||||||
|
|
||||||
|
<rule from="^http://encrypted\.google\.com/videohp"
|
||||||
|
to="https://encrypted.google.com/videohp" />
|
||||||
|
|
||||||
|
<!-- https://videos.google.com is currently broken; work around that... -->
|
||||||
|
<rule from="^https?://videos?\.google\.com/$"
|
||||||
|
to="https://encrypted.google.com/videohp" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com/videohp"
|
||||||
|
to="https://encrypted.google.com/videohp" />
|
||||||
|
<rule from="^http://(?:images|www|encrypted)\.google\.com/(.*tbm=isch)"
|
||||||
|
to="https://encrypted.google.com/$1" />
|
||||||
|
|
||||||
|
<rule
|
||||||
|
from="^http://(?:www\.)?google\.(?:com?\.)?(?:au|ca|gh|ie|in|jm|ke|lk|my|na|ng|nz|pk|rw|sl|sg|ug|uk|za|zw)/videohp"
|
||||||
|
to="https://encrypted.google.com/videohp" />
|
||||||
|
<rule
|
||||||
|
from="^http://(?:www\.)?google\.(?:com?\.)?(?:ar|bo|cl|co|cu|cr|ec|es|gt|mx|pa|pe|py|sv|uy|ve)/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=es" />
|
||||||
|
<rule
|
||||||
|
from="^http://(?:www\.)?google\.(?:com\.)?(?:ae|bh|eg|jo|kw|lb|ly|om|qa|sa)/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=ar" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:at|ch|de)/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=de" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.(fr|nl|it|pl|ru|bg|pt|ro|hr|fi|no)/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=$1" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com?\.(id|th|tr)/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=$1" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.il/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=he" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.kr/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=ko" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.kz/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=kk" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.jp/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=ja" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.vn/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=vi" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.br/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=pt-BR" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.se/videohp$"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=sv" />
|
||||||
|
|
||||||
|
<!-- If there are URL parameters, keep them. -->
|
||||||
|
<rule
|
||||||
|
from="^http://(?:www\.)?google\.(?:com?\.)?(?:ar|bo|cl|co|cu|cr|ec|es|gt|mx|pa|pe|py|sv|uy|ve)/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=es&" />
|
||||||
|
<rule
|
||||||
|
from="^http://(?:www\.)?google\.(?:com\.)?(?:ae|bh|eg|jo|kw|lb|ly|om|qa|sa)/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=ar&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.(?:at|ch|de)/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=de&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.(fr|nl|it|pl|ru|bg|pt|ro|hr|fi|no)/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=$1&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com?\.(id|th|tr)/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=$1&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.il/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=he&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.kr/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=ko&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.kz/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=kk&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.jp/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=ja&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.vn/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=vi&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.com\.br/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=pt-BR&" />
|
||||||
|
<rule from="^http://(?:www\.)?google\.se/videohp\?"
|
||||||
|
to="https://encrypted.google.com/videohp?hl=sv&" />
|
||||||
|
|
||||||
|
<rule from="^http://video\.google\.com/ThumbnailServer2"
|
||||||
|
to="https://video.google.com/ThumbnailServer2" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,17 @@
|
||||||
|
<!--
|
||||||
|
gwbhrd.appspot.com
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="GoogleWatchBlog">
|
||||||
|
|
||||||
|
<target host="googlewatchblog.de" />
|
||||||
|
<target host="*.googlewatchblog.de" />
|
||||||
|
|
||||||
|
|
||||||
|
<securecookie host="^(?:www)?\.googlewatchblog\.de$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(static\.|www\.)?googlewatchblog\.de/"
|
||||||
|
to="https://$1googlewatchblog.de/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,21 @@
|
||||||
|
<!--
|
||||||
|
For other Google coverage, see GoogleServices.xml.
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Google App Engine">
|
||||||
|
|
||||||
|
<target host="appspot.com" />
|
||||||
|
<target host="*.appspot.com" />
|
||||||
|
<!--
|
||||||
|
Redirects to http for some reason.
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://photomunchers\.appspot\.com/" />
|
||||||
|
|
||||||
|
|
||||||
|
<securecookie host="^.+\.appspot\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://([^@:\./]+\.)?appspot\.com/"
|
||||||
|
to="https://$1appspot.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,16 @@
|
||||||
|
<!-- This rule was automatically generated based on an HSTS
|
||||||
|
preload rule in the Chromium browser. See
|
||||||
|
https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state.cc
|
||||||
|
for the list of preloads. Sites are added to the Chromium HSTS
|
||||||
|
preload list on request from their administrators, so HTTPS should
|
||||||
|
work properly everywhere on this site.
|
||||||
|
|
||||||
|
Because Chromium and derived browsers automatically force HTTPS for
|
||||||
|
every access to this site, this rule applies only to Firefox. -->
|
||||||
|
<ruleset name="Googleplex.com (default off)" platform="firefox" default_off="Certificate error">
|
||||||
|
<target host="googleplex.com" />
|
||||||
|
|
||||||
|
<securecookie host="^googleplex\.com$" name=".+" />
|
||||||
|
|
||||||
|
<rule from="^http://googleplex\.com/" to="https://googleplex.com/" />
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,15 @@
|
||||||
|
<ruleset name="OpenStreetMap">
|
||||||
|
|
||||||
|
<target host="openstreetmap.org"/>
|
||||||
|
<target host="*.openstreetmap.org"/>
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?openstreetmap\.org/"
|
||||||
|
to="https://www.openstreetmap.org/"/>
|
||||||
|
|
||||||
|
<rule from="^http://tile\.openstreetmap\.org/"
|
||||||
|
to="https://a.tile.openstreetmap.org/"/>
|
||||||
|
|
||||||
|
<rule from="^http://(blog|help|lists|nominatim|piwik|taginfo|[abc]\.tile|trac|wiki)\.openstreetmap\.org/"
|
||||||
|
to="https://$1.openstreetmap.org/"/>
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,14 @@
|
||||||
|
<!--
|
||||||
|
www: cert only matches ^rawgithub.com
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="rawgithub.com">
|
||||||
|
|
||||||
|
<target host="rawgithub.com" />
|
||||||
|
<target host="www.rawgithub.com" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?rawgithub\.com/"
|
||||||
|
to="https://rawgithub.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,101 @@
|
||||||
|
<!--
|
||||||
|
|
||||||
|
CDN buckets:
|
||||||
|
|
||||||
|
- akmedia-a.akamaihd.net
|
||||||
|
|
||||||
|
- soundcloud.assistly.com
|
||||||
|
|
||||||
|
- help.soundcloud.com
|
||||||
|
|
||||||
|
- cs70.wac.edgecastcdn.net
|
||||||
|
|
||||||
|
- a1.sndcdn.com
|
||||||
|
- i1.sndcdn.com
|
||||||
|
- w1.sndcdn.com
|
||||||
|
|
||||||
|
- wpc.658D.edgecastcdn.net
|
||||||
|
- m-a.sndcdn.com.edgesuite.net
|
||||||
|
- soundcloud.gettyimages.com
|
||||||
|
|
||||||
|
- scbackstage.wpengine.netdna-cdn.com
|
||||||
|
|
||||||
|
- ssl doesn't exist
|
||||||
|
- backstage.soundcloud.com
|
||||||
|
|
||||||
|
- soundcloud.wpengine.netdna-cdn.com
|
||||||
|
|
||||||
|
- -ssl doesn't exist
|
||||||
|
- blog.soundcloud.com
|
||||||
|
|
||||||
|
- gs1.wpc.v2cdn.netcdn.net
|
||||||
|
- gs1.wpc.v2cdn.net
|
||||||
|
|
||||||
|
- ec-media.soundcloud.com
|
||||||
|
|
||||||
|
Nonfunctional soundcloud.com subdomains:
|
||||||
|
|
||||||
|
- help (redirects to http, mismatched, CN: *.assistly.com)
|
||||||
|
- m (redirects to http)
|
||||||
|
- media
|
||||||
|
- status (times out)
|
||||||
|
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- m-a.sndcdn.com (works, akamai)
|
||||||
|
|
||||||
|
|
||||||
|
Partially covered domains:
|
||||||
|
|
||||||
|
- backstage.soundcloud.com
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- sndcdn.com subdomains:
|
||||||
|
|
||||||
|
- a[12]
|
||||||
|
- api
|
||||||
|
- i[1-4]
|
||||||
|
- w[12]
|
||||||
|
- wis
|
||||||
|
|
||||||
|
- soundcloud.com subdomains:
|
||||||
|
|
||||||
|
- (www.)
|
||||||
|
- api
|
||||||
|
- blog
|
||||||
|
- connect
|
||||||
|
- developers
|
||||||
|
- ec-media
|
||||||
|
- eventlogger
|
||||||
|
- help-assets
|
||||||
|
- media
|
||||||
|
- visuals
|
||||||
|
- w
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Soundcloud (partial)">
|
||||||
|
|
||||||
|
<target host="scbackstage.wpengine.netdna-cdn.com" />
|
||||||
|
<target host="soundcloud.wpengine.netdna-cdn.com" />
|
||||||
|
<target host="*.sndcdn.com" />
|
||||||
|
<target host="soundcloud.com" />
|
||||||
|
<target host="*.soundcloud.com" />
|
||||||
|
<exclusion pattern="^https?://(?:scbackstage\.wpengine\.netdna-cdn|backstage\.soundcloud)\.com/(?!wp-content/)" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://([aiw]\d|api|wis)\.sndcdn\.com/"
|
||||||
|
to="https://$1.sndcdn.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://((?:api|backstage|blog|connect|developers|ec-media|eventlogger|help-assets|media|visuals|w|www)\.)?soundcloud\.com/"
|
||||||
|
to="https://$1soundcloud.com/" />
|
||||||
|
|
||||||
|
<rule from="^https?://scbackstage\.wpengine\.netdna-cdn\.com/"
|
||||||
|
to="https://backstage.soundcloud.com/" />
|
||||||
|
|
||||||
|
<rule from="^https?://soundcloud\.wpengine\.netdna-cdn\.com/"
|
||||||
|
to="https://blog.soundcloud.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,36 @@
|
||||||
|
<!--
|
||||||
|
Nonfunctional:
|
||||||
|
|
||||||
|
- image.bayimg.com
|
||||||
|
- (www.)thepiratebay.sx (http reply)
|
||||||
|
|
||||||
|
|
||||||
|
For problematic rules, see ThePirateBay-mismatches.xml.
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="The Pirate Bay (partial)">
|
||||||
|
|
||||||
|
<target host="suprbay.org" />
|
||||||
|
<target host="*.suprbay.org" />
|
||||||
|
<!-- * for cross-domain cookie -->
|
||||||
|
<target host="*.forum.suprbay.org" />
|
||||||
|
<target host="thepiratebay.org"/>
|
||||||
|
<target host="*.thepiratebay.org"/>
|
||||||
|
<target host="thepiratebay.se"/>
|
||||||
|
<target host="*.thepiratebay.se"/>
|
||||||
|
|
||||||
|
<securecookie host="^.*\.suprbay\.org$" name=".*" />
|
||||||
|
<securecookie host="^(.*\.)?thepiratebay\.se$" name=".*"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Cert doesn't match (www.), redirects like so. -->
|
||||||
|
<rule from="^https?://(?:forum\.|www\.)?suprbay\.org/"
|
||||||
|
to="https://forum.suprbay.org/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?thepiratebay\.(?:org|se)/"
|
||||||
|
to="https://thepiratebay.se/"/>
|
||||||
|
|
||||||
|
<rule from="^http://(rss|static|torrents)\.thepiratebay\.(?:org|se)/"
|
||||||
|
to="https://$1.thepiratebay.se/"/>
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,18 @@
|
||||||
|
<ruleset name="Tor Project">
|
||||||
|
|
||||||
|
<target host="torproject.org" />
|
||||||
|
<target host="*.torproject.org" />
|
||||||
|
<exclusion pattern="^http://torperf\.torproject\.org/" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.blog\.torproject\.org$" name="^SESS[0-9a-f]{32}$" /-->
|
||||||
|
|
||||||
|
<securecookie host="^(?:.*\.)?torproject\.org$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://([^/:@\.]+\.)?torproject\.org/"
|
||||||
|
to="https://$1torproject.org/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,169 @@
|
||||||
|
<!--
|
||||||
|
Other Twitter rulesets:
|
||||||
|
|
||||||
|
- Twitter_Community.com.xml
|
||||||
|
|
||||||
|
|
||||||
|
Nonfunctional domains:
|
||||||
|
|
||||||
|
- status.twitter.com *
|
||||||
|
- status.twitter.jp *
|
||||||
|
|
||||||
|
* Tumblr
|
||||||
|
|
||||||
|
|
||||||
|
CDN buckets:
|
||||||
|
|
||||||
|
- a1095.g.akamai.net/=/1095/134446/1d/platform.twitter.com/ | platform2.twitter.com.edgesuite.net
|
||||||
|
|
||||||
|
- platform2.twitter.com
|
||||||
|
|
||||||
|
- twitter-any.s3.amazonaws.com
|
||||||
|
- twitter-blog.s3.amazonaws.com
|
||||||
|
|
||||||
|
- d2rdfnizen5apl.cloudfront.net
|
||||||
|
|
||||||
|
- s.twimg.com
|
||||||
|
|
||||||
|
- ssl2.twitter.com.edgekey.net
|
||||||
|
- twitter.github.com
|
||||||
|
|
||||||
|
|
||||||
|
Problematic domains:
|
||||||
|
|
||||||
|
- twimg.com subdomains:
|
||||||
|
|
||||||
|
- a5 *
|
||||||
|
- s (cloudfront)
|
||||||
|
|
||||||
|
- twitter.com subdomains:
|
||||||
|
|
||||||
|
- platform[0-3] (403, akamai)
|
||||||
|
|
||||||
|
* akamai
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered domains:
|
||||||
|
|
||||||
|
- (www.)t.co (www → ^)
|
||||||
|
|
||||||
|
- twimg.com subdomains:
|
||||||
|
|
||||||
|
- a[5-9] (→ si0)
|
||||||
|
- a\d
|
||||||
|
- abs
|
||||||
|
- dnt
|
||||||
|
- ea
|
||||||
|
- g
|
||||||
|
- g2
|
||||||
|
- gu
|
||||||
|
- hca
|
||||||
|
- jp
|
||||||
|
- ma
|
||||||
|
- ma[0123]
|
||||||
|
- o
|
||||||
|
- p
|
||||||
|
- pbs
|
||||||
|
- r
|
||||||
|
- s (→ d2rdfnizen5apl.cloudfront.net)
|
||||||
|
- si[0-5]
|
||||||
|
- syndication
|
||||||
|
- cdn.syndication
|
||||||
|
- tailfeather
|
||||||
|
- ton
|
||||||
|
- v
|
||||||
|
- widgets
|
||||||
|
|
||||||
|
- twitter.com subdomains:
|
||||||
|
|
||||||
|
- (www.)
|
||||||
|
- 201[012]
|
||||||
|
- about
|
||||||
|
- ads
|
||||||
|
- analytics
|
||||||
|
- api
|
||||||
|
- cdn.api
|
||||||
|
- urls.api
|
||||||
|
- blog
|
||||||
|
- business
|
||||||
|
- preview.cdn
|
||||||
|
- preview-dev.cdn
|
||||||
|
- preview-stage.cdn
|
||||||
|
- de
|
||||||
|
- dev
|
||||||
|
- en
|
||||||
|
- engineering
|
||||||
|
- es
|
||||||
|
- firefox
|
||||||
|
- fr
|
||||||
|
- it
|
||||||
|
- ja
|
||||||
|
- jp
|
||||||
|
- m
|
||||||
|
- media
|
||||||
|
- mobile
|
||||||
|
- music
|
||||||
|
- oauth
|
||||||
|
- p
|
||||||
|
- pic
|
||||||
|
- platform
|
||||||
|
- platform[0-3] (→ platform)
|
||||||
|
- widgets.platform
|
||||||
|
- search
|
||||||
|
- static
|
||||||
|
- support
|
||||||
|
- transparency
|
||||||
|
- upload
|
||||||
|
|
||||||
|
|
||||||
|
These altnames don't exist:
|
||||||
|
|
||||||
|
- i3.twimg.com
|
||||||
|
- p-dev.twimg.com
|
||||||
|
- vmtc.twimg.com
|
||||||
|
|
||||||
|
- cdn-dev.api.twitter.com
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Twitter">
|
||||||
|
|
||||||
|
<target host="t.co" />
|
||||||
|
<target host="*.t.co" />
|
||||||
|
<target host="*.twimg.com" />
|
||||||
|
<target host="twitter.com" />
|
||||||
|
<target host="*.twitter.com" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.twitter\.com$" name="^_twitter_sess$" /-->
|
||||||
|
<!--securecookie host="^support\.twitter\.com$" name="^_help_center_session$" /-->
|
||||||
|
<!--
|
||||||
|
Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.t\.co$" name="^muc$" /-->
|
||||||
|
<!--securecookie host="^\.twitter\.com$" name="^guest_id$" /-->
|
||||||
|
|
||||||
|
<securecookie host="^\.t\.co$" name=".+" />
|
||||||
|
<securecookie host="^(?:.*\.)?twitter\.com$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?t\.co/"
|
||||||
|
to="https://t.co/" />
|
||||||
|
|
||||||
|
<rule from="^http://a[5-9]\.twimg\.com/"
|
||||||
|
to="https://si0.twimg.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://(abs|a\d|dnt|ea|g[2u]?|hca|jp|ma\d?|o|p|pbs|r|si\d|(?:cdn\.)?syndication|tailfeather|ton|v|widgets)\.twimg\.com/"
|
||||||
|
to="https://$1.twimg.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://s\.twimg\.com/"
|
||||||
|
to="https://d2rdfnizen5apl.cloudfront.net/" />
|
||||||
|
|
||||||
|
<rule from="^http://((?:201\d|about|ads|analytics|blog|(?:cdn\.|urls\.)?api|business|preview(?:-dev|-stage)?\.cdn|de|dev|engineering|en|es|firefox|fr|it|ja|jp|m|media|mobile|music|oauth|p|pic|platform|widgets\.platform|search|static|support|transparency|upload|www)\.)?twitter\.com/"
|
||||||
|
to="https://$1twitter.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://platform\d\.twitter\.com/"
|
||||||
|
to="https://platform.twitter.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,75 @@
|
||||||
|
<!--
|
||||||
|
CDN buckets:
|
||||||
|
|
||||||
|
- av.vimeo.com.edgesuite.net
|
||||||
|
|
||||||
|
- a808.g.akamai.net
|
||||||
|
|
||||||
|
- pdl.vimeocdn.com.edgesuite.net
|
||||||
|
|
||||||
|
- a1189.g.akamai.net
|
||||||
|
|
||||||
|
|
||||||
|
Problematic subdomains:
|
||||||
|
|
||||||
|
- av (pdl.../crossdomain.xml restricts to port 80)
|
||||||
|
- pdl (works, akamai)
|
||||||
|
|
||||||
|
|
||||||
|
Partially covered subdomains:
|
||||||
|
|
||||||
|
- developer (some pages redirect to http)
|
||||||
|
- pdl (→ akamai)
|
||||||
|
|
||||||
|
|
||||||
|
Fully covered subdomains:
|
||||||
|
|
||||||
|
- (www.)
|
||||||
|
- secure
|
||||||
|
|
||||||
|
|
||||||
|
Default off per https://trac.torproject.org/projects/tor/ticket/7569 -->
|
||||||
|
<ruleset name="Vimeo (default off)" default_off="breaks some video embedding">
|
||||||
|
|
||||||
|
<target host="vimeo.com" />
|
||||||
|
<target host="*.vimeo.com" />
|
||||||
|
<exclusion pattern="^http://av\.vimeo\.com/crossdomain\.xml" />
|
||||||
|
<!--exclusion pattern="^http://developer\.vimeo\.com/($|\?|(apps|guidelines|help|player)($|[?/]))" /-->
|
||||||
|
<exclusion pattern="^http://developer\.vimeo\.com/(?!apis(?:$|[?/])|favicon\.ico)" />
|
||||||
|
<target host="*.vimeocdn.com" />
|
||||||
|
<!--
|
||||||
|
Uses crossdomain.xml from s3.amazonaws.com, which sets secure="false"
|
||||||
|
|
||||||
|
https://mail1.eff.org/pipermail/https-everywhere/2012-October/001583.html
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://a\.vimeocdn\.com/p/flash/moogaloop/" />
|
||||||
|
|
||||||
|
<!-- We cannot secure streams because crossdomain.xml
|
||||||
|
restricts to port 80 :(
|
||||||
|
-->
|
||||||
|
<exclusion pattern="^http://pdl\.vimeocdn\.com/(?!crossdomain\.xml)" />
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Tracking cookies:
|
||||||
|
-->
|
||||||
|
<securecookie host="^\.(?:player\.)?vimeo\.com$" name="^__utm\w$" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://((?:developer|player|secure|www)\.)?vimeo\.com/"
|
||||||
|
to="https://$1vimeo.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://av\.vimeo\.com/"
|
||||||
|
to="https://a248.e.akamai.net/f/808/9207/8m/av.vimeo.com/" />
|
||||||
|
|
||||||
|
<!-- a & b: Akamai -->
|
||||||
|
<rule from="^http://(?:secure-)?([ab])\.vimeocdn\.com/"
|
||||||
|
to="https://secure-$1.vimeocdn.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://i\.vimeocdn\.com/"
|
||||||
|
to="https://i.vimeocdn.com/" />
|
||||||
|
|
||||||
|
<rule from="^http://pdl\.vimeocdn\.com/"
|
||||||
|
to="https://a248.e.akamai.net/f/1189/4415/8d/pdl.vimeocdn.com/" />
|
||||||
|
|
||||||
|
</ruleset>
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
<ruleset name="WikiLeaks">
|
||||||
|
|
||||||
|
<target host="wikileaks.org" />
|
||||||
|
<target host="*.wikileaks.org" />
|
||||||
|
|
||||||
|
|
||||||
|
<securecookie host="^(?:w*\.)?wikileaks\.org$" name=".+" />
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://((?:chat|search|shop|www)\.)?wikileaks\.org/"
|
||||||
|
to="https://$1wikileaks.org/" />
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -0,0 +1,107 @@
|
||||||
|
<!--
|
||||||
|
Wikipedia and other Wikimedia Foundation wikis previously had no real HTTPS support, and
|
||||||
|
URLs had to be rewritten to https://secure.wikimedia.org/$wikitype/$language/ . This is no
|
||||||
|
longer the case, see https://blog.wikimedia.org/2011/10/03/native-https-support-enabled-for-all-wikimedia-foundation-wikis/ ,
|
||||||
|
so this file is a lot simpler these days.
|
||||||
|
|
||||||
|
|
||||||
|
Mixed content:
|
||||||
|
|
||||||
|
- Images, on:
|
||||||
|
|
||||||
|
- stats.wikimedia.org from upload.wikimedia.org *
|
||||||
|
- stats.wikimedia.org from wikimediafoundation.org *
|
||||||
|
|
||||||
|
* Secured by us
|
||||||
|
|
||||||
|
-->
|
||||||
|
<ruleset name="Wikimedia">
|
||||||
|
|
||||||
|
<target host="enwp.org" />
|
||||||
|
<target host="frwp.org" />
|
||||||
|
|
||||||
|
<target host="mediawiki.org" />
|
||||||
|
<target host="www.mediawiki.org" />
|
||||||
|
<target host="wikimedia.org" />
|
||||||
|
<target host="*.wikimedia.org" />
|
||||||
|
<exclusion pattern="^http://(?:apt|cs|cz|parsoid-lb\.eqiad|status|torrus|ubuntu)\.wikimedia\.org" />
|
||||||
|
<!-- https://mail1.eff.org/pipermail/https-everywhere-rules/2012-June/001189.html -->
|
||||||
|
<exclusion pattern="^http://lists\.wikimedia\.org/pipermail(?:$|/)" />
|
||||||
|
<target host="wikimediafoundation.org" />
|
||||||
|
<target host="www.wikimediafoundation.org" />
|
||||||
|
|
||||||
|
<!-- Wikimedia projects (also some wikimedia.org subdomains) -->
|
||||||
|
<target host="wikibooks.org" />
|
||||||
|
<target host="*.wikibooks.org" />
|
||||||
|
<target host="wikidata.org" />
|
||||||
|
<target host="*.wikidata.org" />
|
||||||
|
<target host="wikinews.org" />
|
||||||
|
<target host="*.wikinews.org" />
|
||||||
|
<target host="wikipedia.org" />
|
||||||
|
<target host="*.wikipedia.org" />
|
||||||
|
<target host="wikiquote.org" />
|
||||||
|
<target host="*.wikiquote.org" />
|
||||||
|
<target host="wikisource.org" />
|
||||||
|
<target host="*.wikisource.org" />
|
||||||
|
<target host="wikiversity.org" />
|
||||||
|
<target host="*.wikiversity.org" />
|
||||||
|
<target host="wikivoyage.org" />
|
||||||
|
<target host="*.wikivoyage.org" />
|
||||||
|
<target host="wiktionary.org" />
|
||||||
|
<target host="*.wiktionary.org" />
|
||||||
|
|
||||||
|
<!-- Wikimedia chapters -->
|
||||||
|
<target host="wikimedia.ca" />
|
||||||
|
<target host="www.wikimedia.ca" />
|
||||||
|
|
||||||
|
<!-- Wikimedia Tool Labs -->
|
||||||
|
<target host="tools.wmflabs.org" />
|
||||||
|
<target host="icinga.wmflabs.org" />
|
||||||
|
<target host="ganglia.wmflabs.org" />
|
||||||
|
|
||||||
|
<!-- Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.wiki(books|ipedia)\.org$" name="^GeoIP$" /-->
|
||||||
|
|
||||||
|
<securecookie host="^^\.wik(?:ibooks|idata|imedia|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org$" name="^GeoIP$" />
|
||||||
|
<securecookie host="^([^@:/]+\.)?wik(ibooks|idata|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org$" name=".*" />
|
||||||
|
<securecookie host="^(species|commons|meta|incubator|wikitech).wikimedia.org$" name=".*" />
|
||||||
|
<securecookie host="^(?:www\.)?mediawiki\.org$" name=".*" />
|
||||||
|
<securecookie host="^wikimediafoundation.org$" name=".*" />
|
||||||
|
|
||||||
|
<rule from="^http://(en|fr)wp\.org/"
|
||||||
|
to="https://$1.wikipedia.org/wiki/" />
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?mediawiki\.org/"
|
||||||
|
to="https://www.mediawiki.org/" />
|
||||||
|
|
||||||
|
<rule from="^https?://download\.wikipedia\.org/"
|
||||||
|
to="https://dumps.wikimedia.org/" />
|
||||||
|
|
||||||
|
<rule from="^https?://(download|dataset2|sitemap)\.wikimedia\.org/"
|
||||||
|
to="https://dumps.wikimedia.org/" />
|
||||||
|
|
||||||
|
<rule from="^https?://(labs-ns[01]|virt0)\.wikimedia\.org/"
|
||||||
|
to="https://wikitech.wikimedia.org/" />
|
||||||
|
|
||||||
|
<rule from="^https?://noboard\.chapters\.wikimedia\.org/"
|
||||||
|
to="https://noboard-chapters.wikimedia.org/" />
|
||||||
|
|
||||||
|
<rule from="^https?://wg\.en\.wikipedia\.org/"
|
||||||
|
to="https://wg-en.wikipedia.org/" />
|
||||||
|
|
||||||
|
<rule from="^https?://arbcom\.(de|en|fi|nl)\.wikipedia\.org/"
|
||||||
|
to="https://arbcom-$1.wikipedia.org/" />
|
||||||
|
|
||||||
|
<rule from="^http://([^@:/]+\.)?wik(ibooks|idata|imedia|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org/"
|
||||||
|
to="https://$1wik$2.org/" />
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?wikimediafoundation\.org/"
|
||||||
|
to="https://$1wikimediafoundation.org/" />
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?wikimedia\.ca/"
|
||||||
|
to="https://wikimedia.ca/" />
|
||||||
|
|
||||||
|
<rule from="^http://([^@:/]+)\.wmflabs\.org/"
|
||||||
|
to="https://$1.wmflabs.org/" />
|
||||||
|
</ruleset>
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,46 @@
|
||||||
|
<ruleset name="YouTube (partial)">
|
||||||
|
|
||||||
|
<target host="youtube.com" />
|
||||||
|
<target host="*.youtube.com" />
|
||||||
|
<exclusion pattern="^http://(?:www\.)?youtube\.com/crossdomain\.xml"/>
|
||||||
|
<exclusion pattern="^http://(?:www\.)?youtube\.com/(?:apiplayer|api_video_info)"/>
|
||||||
|
<exclusion pattern="^http://(?:[^/@:\.]+\.)?ytimg\.com/.*apiplayer[0-9]*\.swf"/>
|
||||||
|
<target host="*.ytimg.com" />
|
||||||
|
<target host="youtu.be" />
|
||||||
|
<target host="youtube-nocookie.com"/>
|
||||||
|
<target host="www.youtube-nocookie.com"/>
|
||||||
|
<target host="*.googlevideo.com"/>
|
||||||
|
<exclusion pattern="^http://([^/@:\.]+)\.googlevideo\.com/crossdomain\.xml"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Not secured by server:
|
||||||
|
-->
|
||||||
|
<!--securecookie host="^\.youtube\.com$" name="^(GEUP|PREF|VISITOR_INFO1_LIVE|YSC)$" /-->
|
||||||
|
|
||||||
|
<!-- observed ^. cookies:
|
||||||
|
- use_hitbox
|
||||||
|
- VISITOR_INFO1_LIVE
|
||||||
|
- recently_watched_video_id_list
|
||||||
|
- .youtube.com -->
|
||||||
|
<securecookie host="^\.youtube\.com" name=".*"/>
|
||||||
|
|
||||||
|
|
||||||
|
<rule from="^http://(www\.)?youtube\.com/"
|
||||||
|
to="https://$1youtube.com/"/>
|
||||||
|
|
||||||
|
<rule from="^http://(br|de|es|fr|il|img|insight|jp|m|nl|uk)\.youtube\.com/"
|
||||||
|
to="https://$1.youtube.com/"/>
|
||||||
|
|
||||||
|
<rule from="^http://([^/@:\.]+)\.ytimg\.com/"
|
||||||
|
to="https://$1.ytimg.com/"/>
|
||||||
|
|
||||||
|
<rule from="^http://youtu\.be/"
|
||||||
|
to="https://youtu.be/"/>
|
||||||
|
|
||||||
|
<rule from="^http://(?:www\.)?youtube-nocookie\.com/"
|
||||||
|
to="https://www.youtube-nocookie.com/"/>
|
||||||
|
|
||||||
|
<rule from="^http://([^/@:\.]+)\.googlevideo\.com/"
|
||||||
|
to="https://$1.googlevideo.com/"/>
|
||||||
|
|
||||||
|
</ruleset>
|
|
@ -4,6 +4,9 @@ server:
|
||||||
debug : False
|
debug : False
|
||||||
request_timeout : 3.0 # seconds
|
request_timeout : 3.0 # seconds
|
||||||
base_url: False
|
base_url: False
|
||||||
|
themes_path : ""
|
||||||
|
default_theme : default
|
||||||
|
https_rewrite : True
|
||||||
|
|
||||||
engines:
|
engines:
|
||||||
- name : general_dummy
|
- name : general_dummy
|
||||||
|
|
|
@ -50,6 +50,9 @@ from searx.search import Search
|
||||||
from searx.query import Query
|
from searx.query import Query
|
||||||
from searx.autocomplete import backends as autocomplete_backends
|
from searx.autocomplete import backends as autocomplete_backends
|
||||||
|
|
||||||
|
from urlparse import urlparse
|
||||||
|
import re
|
||||||
|
|
||||||
|
|
||||||
static_path, templates_path, themes =\
|
static_path, templates_path, themes =\
|
||||||
get_themes(settings['themes_path']
|
get_themes(settings['themes_path']
|
||||||
|
@ -206,16 +209,60 @@ def index():
|
||||||
if not search.paging and engines[result['engine']].paging:
|
if not search.paging and engines[result['engine']].paging:
|
||||||
search.paging = True
|
search.paging = True
|
||||||
|
|
||||||
|
# check if HTTPS rewrite is required
|
||||||
if settings['server']['https_rewrite']\
|
if settings['server']['https_rewrite']\
|
||||||
and result['parsed_url'].scheme == 'http':
|
and result['parsed_url'].scheme == 'http':
|
||||||
|
|
||||||
for http_regex, https_url in https_rules:
|
skip_https_rewrite = False
|
||||||
if http_regex.match(result['url']):
|
|
||||||
result['url'] = http_regex.sub(https_url, result['url'])
|
# check if HTTPS rewrite is possible
|
||||||
# TODO result['parsed_url'].scheme
|
for target, rules, exclusions in https_rules:
|
||||||
|
|
||||||
|
# check if target regex match with url
|
||||||
|
if target.match(result['url']):
|
||||||
|
# process exclusions
|
||||||
|
for exclusion in exclusions:
|
||||||
|
# check if exclusion match with url
|
||||||
|
if exclusion.match(result['url']):
|
||||||
|
skip_https_rewrite = True
|
||||||
|
break
|
||||||
|
|
||||||
|
# skip https rewrite if required
|
||||||
|
if skip_https_rewrite:
|
||||||
|
break
|
||||||
|
|
||||||
|
# process rules
|
||||||
|
for rule in rules:
|
||||||
|
try:
|
||||||
|
# TODO, precompile rule
|
||||||
|
p = re.compile(rule[0])
|
||||||
|
|
||||||
|
# rewrite url if possible
|
||||||
|
new_result_url = p.sub(rule[1], result['url'])
|
||||||
|
except:
|
||||||
|
break
|
||||||
|
|
||||||
|
# parse new url
|
||||||
|
new_parsed_url = urlparse(new_result_url)
|
||||||
|
|
||||||
|
# continiue if nothing was rewritten
|
||||||
|
if result['url'] == new_result_url:
|
||||||
|
continue
|
||||||
|
|
||||||
|
# get domainname from result
|
||||||
|
# TODO, does only work correct with TLD's like asdf.com, not for asdf.com.de
|
||||||
|
# TODO, using publicsuffix instead of this rewrite rule
|
||||||
|
old_result_domainname = '.'.join(result['parsed_url'].hostname.split('.')[-2:])
|
||||||
|
new_result_domainname = '.'.join(new_parsed_url.hostname.split('.')[-2:])
|
||||||
|
|
||||||
|
# check if rewritten hostname is the same, to protect against wrong or malicious rewrite rules
|
||||||
|
if old_result_domainname == new_result_domainname:
|
||||||
|
# set new url
|
||||||
|
result['url'] = new_result_url
|
||||||
|
|
||||||
|
# target has matched, do not search over the other rules
|
||||||
break
|
break
|
||||||
|
|
||||||
# HTTPS rewrite
|
|
||||||
if search.request_data.get('format', 'html') == 'html':
|
if search.request_data.get('format', 'html') == 'html':
|
||||||
if 'content' in result:
|
if 'content' in result:
|
||||||
result['content'] = highlight_content(result['content'],
|
result['content'] = highlight_content(result['content'],
|
||||||
|
|
Loading…
Reference in New Issue