[HTTPS-Everywhere] dev.twitter.com
Peter Eckersley
pde at eff.org
Tue Dec 14 16:45:03 PST 2010
On Tue, Dec 14, 2010 at 04:15:33PM +0000, https-everywhere at lists.grepular.com wrote:
> Hi,
>
> dev.twitter.com is only accessible via http. The <securecookie/> tag in
> Twitter.xml is making it impossible for me to log in and use
> dev.twitter.com without disabling the ruleset.
>
> Despite this, the securecookie has enough value that I don't think it's
> worth removing. Perhaps the Twitter ruleset could be split into two?
We could split the securecookie portion of the Twitter rule into a second
rule, so that you can turn it off while still enjoying HTTPSification on other
parts of the site. They would both be on by default. The problem is that if
the user turns off the default Twitter rule, but leaves on the Twitter+ rule,
much breakage would ensue.
We theoretically have this problem now, but because the FB+ rule is off by
default, it's less likely to happen.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list