[HTTPS-Everywhere] Breaking Other Websites
Daniel Lanigan
Daniel at chibu.net
Thu Nov 25 16:46:24 PST 2010
Peter,
The problem is with the one on lines 39-40, google.com/jsapi. Others have
had the same problem when explicitly calling it via https from http as well.
Thanks for the fast response. Keep up the great work.
~ Daniel
On Nov 25, 2010 4:59 PM, "Peter Eckersley" <pde at eff.org> wrote:
> Daniel,
>
> It might be that Firefox isn't sending HTTP-Referer for the HTTPS API
> requests. IIRC the HTTP specification says not to send referers from https
> pages to http pages, perhaps the reverse is also implemented.
>
> Which are the problematic rewriting rules? The rulesets are here:
>
>
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/GoogleAPIs.xml
>
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/GoogleServices.xml
>
https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules
>
>
> On Thu, Nov 25, 2010 at 10:17:16AM -0500, Daniel Lanigan wrote:
>
>> So in short, when calling any functions on the API, which is being
fetched
>> via https, I get a security error (can't call method on NPObject) since
the
>> site is unencrypted and the api is https.
>>
>> So, I suppose the easiest fix for this would be to not change the
protocol
>> for scripts being called from an unencrypted site, even if the site
(google)
>> has a ruleset, or at least have this as an extra option.
>
> --
> Peter Eckersley pde at eff.org
> Senior Staff Technologist Tel +1 415 436 9333 x131
> Electronic Frontier Foundation Fax +1 415 436 9993
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101125/cde475d1/attachment.html>
More information about the HTTPS-everywhere
mailing list