[HTTPS-Everywhere] CPJ mixed content for no apparent reason
Seth David Schoen
schoen at eff.org
Tue Oct 26 16:35:56 PDT 2010
https://www.cpj.org/internet/2010/10/protecting-journalists-from-firesheep.php
gives me a mixed-content warning even with a blanket cpj.org rewrite
rule, which you can find in e-l-r. I couldn't find any insecure
media in the Media tab.
Live HTTP Headers similarly doesn't reveal _any_ attempts to access
non-HTTPS content on that page, but Wireshark does. The offending
access is to something that Live HTTP Headers believes has been
rewritten as HTTPS: any one of the following
http://cpj.org/css/images/header1.jpg
http://cpj.org/css/images/header2.jpg
http://cpj.org/css/images/header3.jpg
http://cpj.org/css/images/header4.jpg
http://cpj.org/css/images/header5.jpg
http://cpj.org/css/images/header6.jpg
depending on when you access the page.
This reference is generated from the CSS stylesheet
https://cpj.org/css/styles.css
which contains the CSS code
#header {
background-color: #4d4d4d;
background-image: url(/cgi-bin/image.cgi);
height: 133px;
cursor: pointer;
}
https://cpj.org/cgi-bin/image.cgi is a CGI script which generates
a redirect (via 302 with Location header) to one of the six insecure
image URLs mentioned above. For some reason, the image then gets
loaded insecurely even though Live HTTP Headers thinks it's been
rewritten. Is this the connection re-use bug?
I'm using 0.2.3.development.1 with Firefox 3.6.11 and all of the rules
from e-l-r.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list