Reject filter list downloads over unencrypted HTTP
Background
Currently, it is possible to add filter lists with a http:// URL, which are vulnerable to man in-the-middle attacks and other security threats.
What to change
Immediately mark the filter download as failed, without sending a request, if the URL uses the http: protocol.
Integration notes
Unencrypted HTTP downloads are no longer supported and will give an error.
The /subscriptions page lists some subscriptions with http:// URLs. We may want to change these to https:// after informing the filter list authors and helping them migrate if required.
The UI may want to validate subscription URLs (cc: @ThomasGreiner).
Hints for testers
On the options page, add a subscription with an http:// URL to a remote host. The sync should fail with an error saying "invalid URL" or something to this effect. Add a subscription with an https:// URL and see that it syncs successfully and the filters in the subscription work.
Add subscriptions with http://127.0.0.1 and http://localhost URLs (unencrypted HTTP but to localhost) and see that they still work.