Intended behavior of HTTP | Never -> Force HTTPS *.site.com

[therube]

What is the Intended behavior of HTTP | Never -> Force HTTPS => *.site.com ?

You have Forced HTTPS for *.site.com.

What happens if site.com does not support HTTPS?
What happens if site.com contains mixed content, all on .site.com?

What is the difference between ".site.com" & "*.site.com"?

If I Force HTTPS for .bankofamerica.com or *.bankofamerica.com why does http://locators.bankofamerica.com/locator/locator/LocatorAction.do work in http?

[therube]

Clueless.
I've done nothing that I know, yet now things look to be working more normally.

Now when I tried to load the http: boa URL, I get a Page Load Error, Redirect Loop.


OK, so maybe I did do a few things.
Ate dinner.
Dropped down from Aurora to Release.
Messed around with setting things to Always & "Tor" & back to Never.
Restarted browser.
(This was in a different Profile then normal.)


And now too I get the Redirect Loop in my original Profile, still running Aurora, not having shut down.
I did try the link in same window, different tab, also in a new window, & earlier it loaded the http:. Now I get Redirect.

?

[dhouwn]

What is the Intended behavior of HTTP | Never -> Force HTTPS => *.site.com ?

And exception list to the places where HTTPS is being enforced by NoScript, so only if a location matches an entry in the HTTPS and not in the "never force" list HTTPS enforcement happens.

why does http://locators.bankofamerica.com/locator/locator/LocatorAction.do work in http?

Because it redirects I think. Oddly enough I believe to remember that Giorgio changed the behavior, but I thought he changed it the other way round, removing this "fallback".

[therube]

re: Never & Forced HTTPS

And exception list to the places where HTTPS is being enforced by NoScript, so only if a location matches an entry in the HTTPS and not in the "never force" list HTTPS enforcement happens.

Let me revise slightly:

An exception list to the places where HTTPS is being enforced by NoScript, so only if a location matches an entry in the (Forced) HTTPS and not in the "never force" list HTTPS enforcement happens.

Which is what I was expecting, but was not seeing, initially.

Always - no page loaded by a plain HTTP or FTP connection is allowed

And what does that mean? What is supposed to happen, or not, & when?
If Always, & if no exception, then if a site does not support HTTPS, then it should not load?

[dhouwn]

If Always, & if no exception, then if a site does not support HTTPS, then it should not load?

Guess so, if you get the "The page isn't redirecting properly" error page then it's the right behavior (forget what I said earlier, Giorgio did indeed change it to not fall back to HTTP).

[therube]

I don't know that Always is working - at all?

[thunderscript]

This is intended as a helpful contribution to the discussion, not as endorsement to other extensions. But for such needs, is it not easier to use HTTPS Everywhere instead? It rewrites http requests into https on websites for which the rules have been created. The rules are simple regex (or complex, depends on one's view), and it can fix requests where http and https may differ greatly.

For example, it rewrites requests to http www.flickr.com into https secure.flickr.com
More complicated example existed when wikipedia.org didn't yet support https, but wikimedia had. It could rewrite:
http en.wikipedia.org/wiki/NoScript into https secure.wikimedia.org/wikipedia/en/wiki/NoScript

An entire community of volunteers helps make rules for websites which support https, so in theory it should help on a much wider array of websites than one could cater for on his own. And they are more likely to discover "proper" sub-domains which allow SSL.

[Thrawn]

I don't know that Always is working - at all?

I'm pretty sure it works for me. For example, if I force HTTPS for .informaction.com, this very page tries (unsuccessfully) to go to secure.informaction.com.

An entire community of volunteers helps make rules for websites which support https, so in theory it should help on a much wider array of websites than one could cater for on his own. And they are more likely to discover "proper" sub-domains which allow SSL.

Better still is HTTPS Finder. Which, btw, is designed to work with HTTPS Everywhere, but personally I prefer to use it on its own.

[therube]

> if I force HTTPS for .informaction.com

Right, that will work.


But if you select Always, then every site should be forced, without white or blacklisting anything, no?

And that is not happening.

[Thrawn]

If that's what you want, then just put an asterisk in the Always box.

[therube]

Always the simple solution, huh .
Yes, that works.
(And thanks to the spammer. Otherwise I had missed the post.)