-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Include rulesets with different platforms in duplicate checks #11440
Comments
To answer @J0WI's comment in #11438 (comment):
As far as I can tell, not many. I don't know how the current egrep '<target\s+host=\s*"' *.xml | cut -d '"' -f 2 | sort | uniq -c | grep -v '1 ' | wc -l returns 230 candidates (with some possible false positives (commented targets)). The current wc -l utils/duplicate-whitelist.txt 153 targets. |
@Bisaloo there is 224 duplicated See also Updated: 2018.01.24 |
Thanks @cschanaj! If we want to create the new whitelist using your script, it may be useful to group targets by domain. |
@Bisaloo updated the file accordingly, please check. thanks! P.S. I guess |
Yes, and this is intended behaviour too. I am arguing for a change of policy concerning the whitelist. This is not a bug (if we forget the fact that some targets are in |
I agree with the proposed changes of policy since the FYI, See also |
See #11484 |
Given there are no objections, I would like to go forward with this and propose a PR to implement this change. @cschanaj, since you have done most of the work already, I think it's fair you submit this PR but if you prefer, I can do it myself. |
@Bisaloo I have limited availability at the moment, feel free to submit a PR yourself 😄 |
Closed by #14861 |
I think we should review the way tests are currently working to check duplicates.
At the moment, tests will pass even if a target is duplicated in more than one ruleset as long as it is not in more than one ruleset without platform. For example, the domain in this PR (#11438) was not in
duplicate-whitelist.txt
.But this can cause problems. In this case, it was pretty obvious that there is mixed content so the ruleset without platform shouldn't have made it to the repo.
But we can think of more tricky cases, where the mixedcontent is not on the landing page but on deeplinks. In that case, User 1 creates a ruleset without
platform="mixedcontent"
. User 2 sees that the website can be secured but doesn't realize there is already a rule for it (platform="mixedcontent"
rules are disabled by default for most users). But User 2 misses the fact that this website has mixed content and creates a ruleset withoutplatform
. We are now breaking a website when we could have easily avoided it.I propose that all duplicates require to be in
duplicate-whitelist.txt
, even if one of the rulesets they are in has aplatform
. I know that in some cases, some contributors will secure some resources in a ruleset withplatform
and the rest inplatform="mixedcontent"
but adding such domains in the whitelist is trivial and that's what the whitelist is for anyways (not to mention the fact that to my knowledge, no one is doing that anymore. MB used to do it but they were the only one).The text was updated successfully, but these errors were encountered: