Questions and feature requests about "upgrade to https" / "https everywhere" and "private window"

I was surprised when I noticed that Brave did not upgrade a request to https, even though the site supports https – the site also doesn’t redirect to https as it should, but that’s not the point.

So I looked around and found this explanation:

Does that mean that upgrade to https only works for domains included in that list of “this can use https” (from https://www.https-rulesets.org/ I guess), as opposed to trying https first and only falling back to http if it could not connect, for unknown sites not in the list?

If so:

For curiosity, what is the technical reason for only using the list instead of trying https and falling back – or optionally blocking – with the list still providing rewrite rules for sites that need them and exclusions for pages that would break?
I have looked at the https everywhere project, and it explains things in much detail, except this.

Can users set a site to always use https by themselves? If not, consider it a feature request.

Could a “block all unencrypted requests” option be provided?

Is it possible to set shields options for a site before ever accessing the site – other than setting “global shields defaults”? If not, consider it a feature request.

Last one, is there a way to set some site to always open in private or private+tor – ideally, blocking and warning about connections to them coming from other pages?
Example: if I set example.com as “always open in private”, bookmarks, links and typed urls would open in a private window automatically, and some another.com requesting resources from example.com would have those requests blocked unless already in private window.
I see there has been some related discussion long ago in GitHub issue #910.

Regarding your HTTPS Everywhere questions: right now users can’t change the way the component works. It relies on a list of websites eligible for an upgrade, and that’s as far as it goes. All you can do is determine whether you would like HTTPS Everywhere to work on a global level or on a per-site basis, just like the ad block & fingerprinting protection features of Brave Shields.

There will definitely be changes related to the use of HTTPS Everywhere in Brave. It’s impossible (and early) to tell which approach Brave developers will choose (from the Github issue below), so we’ll have to wait and see how Brave will continue handling the upgrade of connections in the near future.

I’m unaware of such an option. What comes to my mind as a possible solution is using a third-party extension, for example https://chrome.google.com/webstore/detail/blocksite-block-websites/eiimnmioipafcokbfikbljfdeojpcgbh. If you don’t give the extension permission to work in private mode, the blocked websites will be accessible only while in private mode (private window or Tor private window).

1 Like