[HTTPS-Everywhere] CPJ mixed content for no apparent reason
Peter Eckersley
pde at eff.org
Tue Oct 26 17:04:26 PDT 2010
The fact that this is caused by a 302 makes me think it may be the same as
https://trac.torproject.org/projects/tor/ticket/2080
On Tue, Oct 26, 2010 at 04:35:56PM -0700, Seth David Schoen wrote:
> https://www.cpj.org/internet/2010/10/protecting-journalists-from-firesheep.php
>
> gives me a mixed-content warning even with a blanket cpj.org rewrite
> rule, which you can find in e-l-r. I couldn't find any insecure
> media in the Media tab.
>
> Live HTTP Headers similarly doesn't reveal _any_ attempts to access
> non-HTTPS content on that page, but Wireshark does. The offending
> access is to something that Live HTTP Headers believes has been
> rewritten as HTTPS: any one of the following
>
> http://cpj.org/css/images/header1.jpg
> http://cpj.org/css/images/header2.jpg
> http://cpj.org/css/images/header3.jpg
> http://cpj.org/css/images/header4.jpg
> http://cpj.org/css/images/header5.jpg
> http://cpj.org/css/images/header6.jpg
>
> depending on when you access the page.
>
> This reference is generated from the CSS stylesheet
>
> https://cpj.org/css/styles.css
>
> which contains the CSS code
>
> #header {
> background-color: #4d4d4d;
> background-image: url(/cgi-bin/image.cgi);
> height: 133px;
> cursor: pointer;
> }
>
> https://cpj.org/cgi-bin/image.cgi is a CGI script which generates
> a redirect (via 302 with Location header) to one of the six insecure
> image URLs mentioned above. For some reason, the image then gets
> loaded insecurely even though Live HTTP Headers thinks it's been
> rewritten. Is this the connection re-use bug?
>
> I'm using 0.2.3.development.1 with Firefox 3.6.11 and all of the rules
> from e-l-r.
>
> --
> Seth Schoen
> Senior Staff Technologist schoen at eff.org
> Electronic Frontier Foundation https://www.eff.org/
> 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list