[HTTPS-E Rulesets] Problems browsing scratch.mit.edu with https everywhere enabled
Peter Eckersley
pde at eff.org
Sun Nov 11 23:59:42 PST 2012
On Sun, Nov 11, 2012 at 10:56:15PM -0800, Seth David Schoen wrote:
> This is probably due to
>
> <securecookie host="^.*\.mit\.edu$" name=".*" />
>
> in the MIT rule, which is overly optimistic. This would stop any cookie from
> being sent to any non-HTTPS URL at any MIT web page.
That's a slight overstatement. It would only affect cookies that are set over
HTTPS (either because that webserver naturally uses HTTPS or because HTTPS
Everywhere caused it to).
However I do think the wildcard in that securecookie rule is a bug, and we
should search the ruleset library for other instances of <securecookie>
elements containing wildcards when the <rule> elements don't.
> I'll scale this back so it won't be a wildcard anymore, which should fix the
> login issue. (It would be great if you could turn on HTTPS, of course.)
I think we'd need a bit more information to be sure that this would work, because
it's possible there's a cookie for all of .mit.edu which is used for
authentication on both scratch.mit.edu, which doesn't support HTTPS, and
someotherthing.mit.edu, which does.
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-Everywhere-Rules
mailing list