HTTPS Everywhere Atlas

Embedded content loaded from third-party domains (for example, YouTube, Google Analytics, ad networks, or CDNs) may also be affected. You can test this by loading the web page in question in a browser with HTTPS Everywhere installed and pulling down the HTTPS Everywhere rules menu. This will show a list of HTTPS Everywhere rules that were applied as the page was loaded, including rules that might have affected embedded content from other domains.

The stable (as yet unreleased) branch contains the following rule that is enabled by default:

<!--
	For other Google coverage, see GoogleServices.xml


	Nonfunctional domains:

		- hosted.gmodules.com *
		- img0.gmodules.com *
		- p.gmodules.com *

	* 404; mismatched, CN: *.googleusercontent.com


	Problematic domains:

		- gmodules.com			(503, CN: www.google.com)
		- www.gmodules.com		(503, CN: *.googleusercontent.com)
		- gstatic.com			(404, valid cert)
		These two changed URL formats as well as domains, need to find an example
		of the old format in the wild:
		- api.recaptcha.net	(→ www.google.com)
		- api-secure.recaptcha.net


	Partially covered domains:

		- (www.)gmodules.com		(→ www.google.com)
		- (www.)google.com
		- chart.apis.google.com		(→ chart.googleapis.com)


	Fully covered domains:

		- api.google.com

		- *.clients.google.com:

			- linkhelp

		- googleapis.com subdomains:

			- ajax
			- chart
			- *.commondatastorage
			- fonts
			- storage
			- *.storage
			- www

		- gstatic.com subdomains:

			- (www.)	(^ → www)
			- csi
			- encrypted-tbn\d
			- fonts
			- g0
			- *.metric
			- ssl
			- t\d


--><ruleset name="Google APIs">
	<target host="gmodules.com"/>
	<target host="www.gmodules.com"/>
		<!-- need this exclusion otherwise the test checker will use the hosts as test urls -->
		<exclusion pattern="^http://(www\.)?gmodules\.com/$"/>

	<target host="ajax.googleapis.com"/>
		<!-- The implicit test URL at the root of this domain generates a 404.
				 Add an exclusion so the fetcher is happy. -->
		<exclusion pattern="^http://ajax\.googleapis\.com/$"/>
	<target host="chart.googleapis.com"/>
		<!-- The implicit test URL at the root of this domain generates a 404.
				 Add an exclusion so the fetcher is happy. -->
		<exclusion pattern="^http://chart\.googleapis\.com/$"/>
	<target host="ct.googleapis.com"/>
	<target host="fonts.googleapis.com"/>
	<target host="imasdk.googleapis.com"/>
	<target host="maps.googleapis.com"/>
	<target host="www.googleapis.com"/>
	<target host="commondatastorage.googleapis.com"/>
	<target host="*.commondatastorage.googleapis.com"/>
	<target host="*.storage.googleapis.com"/>
	<target host="storage.googleapis.com"/>

	<target host="gstatic.com"/>
	<target host="*.gstatic.com"/>

	<securecookie host="^maps\.gstatic\.com$" name=".+"/>

	<!--	Captive portal detection redirects to this URL, and many captive
		portals break TLS, so exempt this redirect URL.
		See GitHub bug #368
			-->
	<exclusion pattern="^http://www\.gstatic\.com/generate_204"/>
		<test url="http://www.gstatic.com/generate_204"/>

	<!--	Breaks digitalattackmap.com, cf.
		https://trac.torproject.org/projects/tor/ticket/15154
			-->
	<exclusion pattern="^http://www\.gstatic\.com/ddos-viz/attacks\.json"/>
		<test url="http://www.gstatic.com/ddos-viz/attacks.json"/>
	<!--	Causes CORS issues on http://www.codeskulptor.org/ (try saving
		current file). See https://github.com/EFForg/https-everywhere/issues/1828
			-->
	<exclusion pattern="^http://codeskulptor-user\d+\.commondatastorage\.googleapis\.com/"/>
		<test url="http://codeskulptor-user44.commondatastorage.googleapis.com/user44_0LxgCGWCjo_0.py"/>
		<test url="http://codeskulptor-user301.commondatastorage.googleapis.com/user301_nVlSk7alrk_0.py"/>

	<rule from="^http://(?:www\.)?gmodules\.com/ig/images/" to="https://www.google.com/ig/images/"/>
		<test url="http://gmodules.com/ig/images/"/>
		<test url="http://www.gmodules.com/ig/images/"/>

	<rule from="^http://(ajax|chart|ct|fonts|imasdk|maps|www)\.googleapis\.com/" to="https://$1.googleapis.com/"/>
		<test url="http://ajax.googleapis.com/ajax/libs/angular_material/0.8.2/angular-material.min.js"/>
		<test url="http://ct.googleapis.com/aviator/ct/v1/get-entries?start=0&amp;end=1"/>
		<test url="http://chart.googleapis.com/chart?cht=p3&amp;chs=250x100&amp;chd=t:60,40&amp;chl=Hello|World"/>
		<test url="http://fonts.googleapis.com/css?family=Tangerine"/>
		<test url="http://maps.googleapis.com/maps/ms?hl=da&amp;ie=UTF8&amp;msa=0&amp;msid=213981917930555964408.00044f8886ceeef1c1b88&amp;source=embed&amp;ll=55.432276,9.439402&amp;spn=0.017045,0.043774&amp;z=14"/>

	<rule from="^http://([\w-]+\.)?(commondata)?storage\.googleapis\.com/" to="https://$1$2storage.googleapis.com/"/>
		<test url="http://chromedriver.storage.googleapis.com/"/>
		<test url="http://fiber.storage.googleapis.com/channels/guide/kansascity.pdf"/>
		<test url="http://patentimages.storage.googleapis.com/"/>
		<test url="http://bookmarc-binders.commondatastorage.googleapis.com/allegion/Allegion%202014%20Residential%20Product%20Catalogue%20Regent%20Series%20Knobs%20Levers_0114.pdf"/>
		<test url="http://bookmarc-binders.commondatastorage.googleapis.com/danpalon/Danpalon%20Architectural%20Catalogue.pdf"/>
		<test url="http://ckannet-storage.commondatastorage.googleapis.com/2014-07-06T23:24:20.852Z/vol-1-no-2-paper-2-owusu-dankwa-prosper.pdf"/>

	<!--	There is an interesting question about whether we should
		append &strip=1 to all cache URLs.  This causes them to load
		without images and styles, which is more secure but can look
		worse.
			Without &strip=1, the images and styles from the cached
		pages still load from the original, typically unencrypted, page.
			With &strip=1, the cached page will be text-only and
		will come exclusively from Google's HTTPS server.
									-->
	<rule from="^http://(www\.)?gstatic\.com/" to="https://www.gstatic.com/"/>
		<test url="http://www.gstatic.com/"/>

	<rule from="^http://(csi|encrypted-tbn\d|fonts|g0|maps|[\w-]+\.metric|ssl|t\d)\.gstatic\.com/" to="https://$1.gstatic.com/"/>
		<test url="http://csi.gstatic.com/"/>
		<test url="http://encrypted-tbn1.gstatic.com/"/>
		<test url="http://encrypted-tbn2.gstatic.com/"/>
		<test url="http://encrypted-tbn3.gstatic.com/"/>
		<test url="http://fonts.gstatic.com/"/>
		<test url="http://g0.gstatic.com/"/>
		<test url="http://maps.gstatic.com/"/>
		<test url="http://test1-ds.metric.gstatic.com/"/>
		<test url="http://test2-ds.metric.gstatic.com/"/>
		<test url="http://test3-ds.metric.gstatic.com/"/>
		<test url="http://ssl.gstatic.com/"/>
		<test url="http://t1.gstatic.com/"/>
		<test url="http://t2.gstatic.com/"/>
		<test url="http://t3.gstatic.com/"/>

</ruleset>

GoogleAPIs.xml    File a bug

The release branch contains the following rules that are enabled by default:

<!--
	For other Google coverage, see GoogleServices.xml


	Nonfunctional domains:

		- hosted.gmodules.com *
		- img0.gmodules.com *
		- p.gmodules.com *

	* 404; mismatched, CN: *.googleusercontent.com


	Problematic domains:

		- gmodules.com			(503, CN: www.google.com)
		- www.gmodules.com		(503, CN: *.googleusercontent.com)
		- gstatic.com			(404, valid cert)
		These two changed URL formats as well as domains, need to find an example
		of the old format in the wild:
		- api.recaptcha.net	(→ www.google.com)
		- api-secure.recaptcha.net


	Partially covered domains:

		- (www.)gmodules.com		(→ www.google.com)
		- (www.)google.com
		- chart.apis.google.com		(→ chart.googleapis.com)


	Fully covered domains:

		- api.google.com

		- *.clients.google.com:

			- linkhelp

		- googleapis.com subdomains:

			- ajax
			- chart
			- *.commondatastorage
			- fonts
			- storage
			- *.storage
			- www

		- gstatic.com subdomains:

			- (www.)	(^ → www)
			- csi
			- encrypted-tbn\d
			- fonts
			- g0
			- *.metric
			- ssl
			- t\d


--><ruleset name="Google APIs">
	<target host="gmodules.com"/>
	<target host="www.gmodules.com"/>
		<!-- need this exclusion otherwise the test checker will use the hosts as test urls -->
		<exclusion pattern="^http://(www\.)?gmodules\.com/$"/>

	<target host="ajax.googleapis.com"/>
		<!-- The implicit test URL at the root of this domain generates a 404.
				 Add an exclusion so the fetcher is happy. -->
		<exclusion pattern="^http://ajax\.googleapis\.com/$"/>
	<target host="chart.googleapis.com"/>
		<!-- The implicit test URL at the root of this domain generates a 404.
				 Add an exclusion so the fetcher is happy. -->
		<exclusion pattern="^http://chart\.googleapis\.com/$"/>
	<target host="ct.googleapis.com"/>
	<target host="fonts.googleapis.com"/>
	<target host="imasdk.googleapis.com"/>
	<target host="maps.googleapis.com"/>
	<target host="www.googleapis.com"/>
	<target host="commondatastorage.googleapis.com"/>
	<target host="*.commondatastorage.googleapis.com"/>
	<target host="*.storage.googleapis.com"/>
	<target host="storage.googleapis.com"/>

	<target host="gstatic.com"/>
	<target host="*.gstatic.com"/>

	<securecookie host="^maps\.gstatic\.com$" name=".+"/>

	<!--	Captive portal detection redirects to this URL, and many captive
		portals break TLS, so exempt this redirect URL.
		See GitHub bug #368
			-->
	<exclusion pattern="^http://www\.gstatic\.com/generate_204"/>
		<test url="http://www.gstatic.com/generate_204"/>

	<!--	Breaks digitalattackmap.com, cf.
		https://trac.torproject.org/projects/tor/ticket/15154
			-->
	<exclusion pattern="^http://www\.gstatic\.com/ddos-viz/attacks\.json"/>
		<test url="http://www.gstatic.com/ddos-viz/attacks.json"/>
	<!--	Causes CORS issues on http://www.codeskulptor.org/ (try saving
		current file). See https://github.com/EFForg/https-everywhere/issues/1828
			-->
	<exclusion pattern="^http://codeskulptor-user\d+\.commondatastorage\.googleapis\.com/"/>
		<test url="http://codeskulptor-user44.commondatastorage.googleapis.com/user44_0LxgCGWCjo_0.py"/>
		<test url="http://codeskulptor-user301.commondatastorage.googleapis.com/user301_nVlSk7alrk_0.py"/>

	<rule from="^http://(?:www\.)?gmodules\.com/ig/images/" to="https://www.google.com/ig/images/"/>
		<test url="http://gmodules.com/ig/images/"/>
		<test url="http://www.gmodules.com/ig/images/"/>

	<rule from="^http://(ajax|chart|ct|fonts|imasdk|maps|www)\.googleapis\.com/" to="https://$1.googleapis.com/"/>
		<test url="http://ajax.googleapis.com/ajax/libs/angular_material/0.8.2/angular-material.min.js"/>
		<test url="http://ct.googleapis.com/aviator/ct/v1/get-entries?start=0&amp;end=1"/>
		<test url="http://chart.googleapis.com/chart?cht=p3&amp;chs=250x100&amp;chd=t:60,40&amp;chl=Hello|World"/>
		<test url="http://fonts.googleapis.com/css?family=Tangerine"/>
		<test url="http://maps.googleapis.com/maps/ms?hl=da&amp;ie=UTF8&amp;msa=0&amp;msid=213981917930555964408.00044f8886ceeef1c1b88&amp;source=embed&amp;ll=55.432276,9.439402&amp;spn=0.017045,0.043774&amp;z=14"/>

	<rule from="^http://([\w-]+\.)?(commondata)?storage\.googleapis\.com/" to="https://$1$2storage.googleapis.com/"/>
		<test url="http://chromedriver.storage.googleapis.com/"/>
		<test url="http://fiber.storage.googleapis.com/channels/guide/kansascity.pdf"/>
		<test url="http://patentimages.storage.googleapis.com/"/>
		<test url="http://bookmarc-binders.commondatastorage.googleapis.com/allegion/Allegion%202014%20Residential%20Product%20Catalogue%20Regent%20Series%20Knobs%20Levers_0114.pdf"/>
		<test url="http://bookmarc-binders.commondatastorage.googleapis.com/danpalon/Danpalon%20Architectural%20Catalogue.pdf"/>
		<test url="http://ckannet-storage.commondatastorage.googleapis.com/2014-07-06T23:24:20.852Z/vol-1-no-2-paper-2-owusu-dankwa-prosper.pdf"/>

	<!--	There is an interesting question about whether we should
		append &strip=1 to all cache URLs.  This causes them to load
		without images and styles, which is more secure but can look
		worse.
			Without &strip=1, the images and styles from the cached
		pages still load from the original, typically unencrypted, page.
			With &strip=1, the cached page will be text-only and
		will come exclusively from Google's HTTPS server.
									-->
	<rule from="^http://(www\.)?gstatic\.com/" to="https://www.gstatic.com/"/>
		<test url="http://www.gstatic.com/"/>

	<rule from="^http://(csi|encrypted-tbn\d|fonts|g0|maps|[\w-]+\.metric|ssl|t\d)\.gstatic\.com/" to="https://$1.gstatic.com/"/>
		<test url="http://csi.gstatic.com/"/>
		<test url="http://encrypted-tbn1.gstatic.com/"/>
		<test url="http://encrypted-tbn2.gstatic.com/"/>
		<test url="http://encrypted-tbn3.gstatic.com/"/>
		<test url="http://fonts.gstatic.com/"/>
		<test url="http://g0.gstatic.com/"/>
		<test url="http://maps.gstatic.com/"/>
		<test url="http://test1-ds.metric.gstatic.com/"/>
		<test url="http://test2-ds.metric.gstatic.com/"/>
		<test url="http://test3-ds.metric.gstatic.com/"/>
		<test url="http://ssl.gstatic.com/"/>
		<test url="http://t1.gstatic.com/"/>
		<test url="http://t2.gstatic.com/"/>
		<test url="http://t3.gstatic.com/"/>

</ruleset>

GoogleAPIs.xml    File a bug

The HTTPS Everywhere developers welcome corrections and updates to rules. Please see our developer information and documentation of the ruleset format. If filing a bug in the Tor Project's Trac bug tracker, you can use the shared username and password cypherpunks / writecode; please ensure that the bug is marked as applying to HTTPS Everywhere.

Information current as of:


current release ff5b4642b 2019-06-27 14:21:20 -0700;
next release 17bc16471 2019-10-10 17:28:16 -0700;