[HTTPS-E Rulesets] Regarding latest Disqus issue

Christopher Liu cmliu00151 at gmail.com
Thu May 17 21:30:43 PDT 2012


To whom it may concern:

Regarding the comment posted on
https://trac.torproject.org/projects/tor/ticket/5496 by gh1234 about
Omgubuntu, I was able to reproduce the problem (using the ruleset as
it currently exists in git head), and the exclusion that worked was
http://disqus.com/next/lounge/client.html .
(There are query parameters - do not add $ at the end of this.)

My attempts to exclude the /build/next/embed.js file and other scripts
in the "next" folder were unsuccessful (hmmm, why?).

...this is not a great situation, since the exclusion is for the
disqus.com domain rather than media/mediacdn/securecdn/etc. Is there a
securecookie we could add to plug this leak?
Is this a tech evangelism bug since Disqus appears to be doing some redesigning?

I apologize that I don't have a Disqus account, nor anything in mind
worth commenting about on Omgubuntu, nor other examples of similarly
affected sites.
I am not any of the commenters on the Trac ticket.

C. Liu

P.S. Expect another lengthy email in the next few days.




More information about the HTTPS-Everywhere-Rules mailing list