Fixed UNTRUSTED domains accidentally set in "match HTTPS only" mode (issue #126).

src/common/Policy.js

@@ -329,8 +329,12 @@ var {Permissions, Policy, Sites} = (() => {
     if (typeof dry.sites === "object" && !(dry.sites instanceof Sites)) {
       let {trusted, untrusted, temp, custom} = dry.sites;
       let sites = Sites.hydrate(custom);
-      for (let key of trusted) sites.set(key, options.TRUSTED);
-      for (let key of untrusted) sites.set(key, options.UNTRUSTED);
+      for (let key of trusted) {
+        sites.set(key, options.TRUSTED);
+      }
+      for (let key of untrusted) {
+        sites.set(Sites.toggleSecureDomainKey(key, false), options.UNTRUSTED);
+      }
       if (temp) {
         let tempPreset = options.TRUSTED.tempTwin;
         for (let key of temp) sites.set(key, tempPreset);
@@ -427,7 +431,7 @@ var {Permissions, Policy, Sites} = (() => {
 
       if (perms === this.UNTRUSTED) {
         cascade = true;
-        Sites.toggleSecureDomainKey(siteKey, false);
+        siteKey = Sites.toggleSecureDomainKey(siteKey, false);
       }
       if (cascade && !url) {
         for (let subMatch; (subMatch = sites.match(siteKey));) {

src/test/Policy_test.js

@@ -9,7 +9,9 @@
   p1.set("perchè.com", p1.TRUSTED);
   p1.set("10", p1.TRUSTED);
   p1.set("192.168", p1.TRUSTED);
-  p1.set("192.168.69", p1.UNTRUSTED)
+  p1.set("192.168.69", p1.UNTRUSTED);
+  // secureDomainKey should be "downgraded" by UTRUSTED, issue #126
+  p1.set(Sites.secureDomainKey("evil.com"), p1.UNTRUSTED);
   let p2 = new Policy(p1.dry());
   debug("p1", JSON.stringify(p1.dry()));
   debug("p2", JSON.stringify(p2.dry()));
@@ -31,7 +33,8 @@
     () => !p1.can("https://192.168.69.1"),
     () => !p1.can("https://10.0.0.1"),
     () => p1.can("http://192.168.1.2"),
-    () => p1.can("http://some.onion")
+    () => p1.can("http://some.onion"),
+    () => !p1.can("http://evil.com"),
   ]) Test.run(t);
   Sites.onionSecure = onionSecureCurrent;
   Test.report();