[HTTPS-E Rulesets] TED (partial) ruleset breaks embeds
Colonel Graff
graffatcolmingov at gmail.com
Fri May 4 19:26:26 PDT 2012
After disabling the rule, you can see what blocks the embedding from
working properly:
[20:53:22.959] GET http://images.ted.com/crossdomain.xml [HTTP/1.1 200 OK
44ms]
Because we rewrite http://images.ted.com to https://www.ted.com the
crossdomain.xml file is entirely different.
Using curl (to avoid having to constantly toggle the rule), I get this:
<cross-domain-policy>
<allow-access-from domain="*.ted.com"/>
</cross-domain-policy>
Using https://www.ted.com/crossdomain.xml
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.ted.com"/>
</cross-domain-policy>
Unfortunately, setting an exclusion pattern for that doesn't do the trick.
For some reason, it doesn't load
https://www.ted.com/images/ted/tedindex/embed-posters/GaryKovacs_2012U-embed.jpgbut
with the rule disabled, it will load
http://images.ted.com/images/ted/tedindex/embed-posters/GaryKovacs_2012U-embed.jpg.
It doesn't make sense except that this
is a similar issue to the CDN topic, i.e., it works for individual URLs and
on the actual website but not embedded in other websites.
On Thu, May 3, 2012 at 3:35 PM, Janne Maekelae <skrubaduba at gmx.com> wrote:
> Here:
> https://blog.mozilla.org/blog/2012/05/03/ted-u-talk-gary-kovacs-tracking-the-trackers/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20120504/ccea7c39/attachment.html>
More information about the HTTPS-Everywhere-Rules
mailing list