[HTTPS-Everywhere] Microsoft.com/security/ exclusion needed
Peter Eckersley
pde at eff.org
Mon Oct 18 08:21:31 PDT 2010
How silly. HTTPS Everywhere has a counter to detect infinite redirects back
to HTTP to prevent that from happening. However, it only works with HTTP
protocol redirects, and those pages seem to be using JavaScript redirection
instead. Interestingly, if I block JavaScript (with NoScript) the HTTPS
version loads happily.
AFAICT this JavaScript is present on the entire www.microsoft.com/security/
tree. We could add an exclusion for it, or yell at Microsoft about it, or
both.
I wonder if this was intended as some kind of anti-clickjacking measure or as
a defense against cookie theft via mixed content? In the former case it seems
broken; in the latter case perhaps not.
On Mon, Oct 18, 2010 at 04:00:59PM +0100, Nitrox wrote:
> the following page keeps falling back to http version -
> http://www.microsoft.com/security/malwareremove/default.aspx
>
> so you need to add a exclusion to this page.
>
> even this page keeps falling back to to http version -
> http://www.microsoft.com/security/default.aspx
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list