cmark-gfm icon indicating copy to clipboard operation
cmark-gfm copied to clipboard
verified publisher icon github

Autolink improvements

Open lol768 opened this issue 7 years ago • 0 comments

From what I understand,

  • Autolink assumes only domains with a leading www. should be linked. Many domains are configured to redirect to the "bare" variant without the www since it is technically unnecessary, so this assumption does not hold.
  • Autolink assumes the insecure http:// protocol. This opens the visitor up to a MitM if they've not visited the site before (for no HSTS preload) or the site doesn't use HSTS and no redirect is cached.

It is proposed:

  • This feature use the Public Suffix List to detect references to domains.
  • The default protocol be changed to https:// since the vast majority of browser page loads are performed using HTTPS nowadays (https://letsencrypt.org/stats/#percent-pageloads). If the user needs to refer to a legacy site, they can specify the link explicitly.

lol768 avatar Jun 23 '18 20:06 lol768