[HTTPS-Everywhere] Breaking Other Websites

Thu Nov 25 16:48:30 PST 2010

Sorry, I forgot to mention that it's in GoogleAPIs.xml

~ Daniel
On Nov 25, 2010 7:46 PM, "Daniel Lanigan" <Daniel at chibu.net> wrote:
> Peter,
>
> The problem is with the one on lines 39-40, google.com/jsapi. Others have
> had the same problem when explicitly calling it via https from http as
well.
>
>
> Thanks for the fast response. Keep up the great work.
>
> ~ Daniel
> On Nov 25, 2010 4:59 PM, "Peter Eckersley" <pde at eff.org> wrote:
>> Daniel,
>>
>> It might be that Firefox isn't sending HTTP-Referer for the HTTPS API
>> requests. IIRC the HTTP specification says not to send referers from
https
>> pages to http pages, perhaps the reverse is also implemented.
>>
>> Which are the problematic rewriting rules? The rulesets are here:
>>
>>
>
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/GoogleAPIs.xml
>>
>
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/GoogleServices.xml
>>
>
https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules
>>
>>
>> On Thu, Nov 25, 2010 at 10:17:16AM -0500, Daniel Lanigan wrote:
>>
>>> So in short, when calling any functions on the API, which is being
> fetched
>>> via https, I get a security error (can't call method on NPObject) since
> the
>>> site is unencrypted and the api is https.
>>>
>>> So, I suppose the easiest fix for this would be to not change the
> protocol
>>> for scripts being called from an unencrypted site, even if the site
> (google)
>>> has a ruleset, or at least have this as an extra option.
>>
>> --
>> Peter Eckersley pde at eff.org
>> Senior Staff Technologist Tel +1 415 436 9333 x131
>> Electronic Frontier Foundation Fax +1 415 436 9993
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101125/de481360/attachment.html>