[HTTPS-E Rulesets] Fwd: https-everywhere breaks video tracking and transcript scrolling on khanacademy.org

[Peter Eckersley]

Redirecting to the https-everywhere-rules mailing list.

----- Forwarded message from Vittorio Gonzalez <email at vittorio.me> -----

Date: Fri, 31 Aug 2012 21:00:07 -0400
From: Vittorio Gonzalez <email at vittorio.me>
To: https-everywhere at eff.org
Subject: https-everywhere breaks video tracking and transcript scrolling on khanacademy.org

HTTPS Everywhere rulesets for youtube and google services break video
tracking and transcript scrolling (which is synced to video playback) on
http://khanacademy.org

I've filed a bug report with Khan Academy about this issue, but I'm not
sure if this is an issue where khanacademy simply can not query playback
position on embedded videos if https is being used (and as such not a
problem they can solve on their end).

If this is a bug that could be solved by certain tweaks on your end, it
would be much appreciated, but if that is not the case, it raises a
concern/feature request that I think would be useful in many circumstances:
namely, being able to disable HE rules on a per site/domain basis, where
having certain rules enabled cripples critical site functionality.

At the moment, disabling the ruleset for youtube and google services means
an inordinate number of sites are affected. Since rulesets can only be
enabled or disabled universally, it creates a situation where on one hand,
a site is rendered nonfunctional by having them enabled (the tracking
metrics are a core function of what khanacademy provides), but I'm missing
out on the protection HE provides on other sites where having the HE rules
enabled doesn't degrade the user experience.

It would be great if there was a way that having to disable a ruleset on
one site/domain wouldn't necessarily disable that ruleset across the board.
This is particularly relevant for domains that provide embeddable services
to other sites vs destination sites where the consequences of having the
ruleset being on or off is more limited  (ie. having the ruleset for google
turned on/off affects a massive number of domains and leaks a lot of
potentially sensitive information).

Thanks for all the amazing work you guys do and for this great extension.

-- 
Vittorio Gonzalez | (240) 681-9870

----- End forwarded message -----

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993