[HTTPS-E Rulesets] Problems browsing scratch.mit.edu with https everywhere enabled
Seth David Schoen
schoen at eff.org
Sun Nov 11 22:56:15 PST 2012
Amos Blanton writes:
> Greetings,
>
> We've gotten several reports of strange behavior when browsing Scratch (
> scratch.mit.edu) with https everywhere enabled, including users getting
> logged out repeatedly, and becoming logged in under incorrect accounts. One
> person suspected that a rule was set for *.mit.edu that was not compatible
> with Scratch.
>
> AFAIK, Scratch does not have https support, unless it is built into the
> cake php foundation, which I doubt. Can you recommend a solution for this
> issue, or next steps to take?
Hi,
This is probably due to
<securecookie host="^.*\.mit\.edu$" name=".*" />
in the MIT rule, which is overly optimistic. This would stop any cookie from
being sent to any non-HTTPS URL at any MIT web page.
I'll scale this back so it won't be a wildcard anymore, which should fix the
login issue. (It would be great if you could turn on HTTPS, of course.)
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-Everywhere-Rules
mailing list