From 97495851af2e613897328a91cd16182044fb13e6 Mon Sep 17 00:00:00 2001
From: Felipe M <me@fmartingr.com>
Date: Tue, 9 Feb 2021 16:41:46 +0100
Subject: [PATCH] Refusing to fill non-https sites

---
 qute_1pass.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/qute_1pass.py b/qute_1pass.py
index 6b2dea6..9633772 100755
--- a/qute_1pass.py
+++ b/qute_1pass.py
@@ -47,6 +47,11 @@ parser.add_argument(
     help="Cache 1password session for 30 minutes",
     action="store_true",
 )
+parser.add_argument(
+    "--allow-insecure-sites",
+    help="Allow filling credentials on insecure sites",
+    action="store_true",
+)
 
 
 class Qute:
@@ -325,5 +330,15 @@ class CLI:
 
 if __name__ == "__main__":
     arguments = parser.parse_args()
+
+    # Prevent filling credentials in non-secure sites if not explicitly allwoed
+    if not arguments.allow_insecure_sites:
+        if urlsplit(os.environ["QUTE_URL"])[0] != "https":
+            Qute.message_error(
+                "Trying to fill a non-secure site. If you want to allow it add the --allow-insecure-sites flag."
+            )
+            logger.error("Refusing to fill credentials on non-secure sites")
+            sys.exit(0)
+
     cli = CLI(arguments)
     sys.exit(cli.run())