[HTTPS-Everywhere] CPJ mixed content for no apparent reason

Peter Eckersley pde at eff.org
Tue Oct 26 17:04:26 PDT 2010 

The fact that this is caused by a 302 makes me think it may be the same as

https://trac.torproject.org/projects/tor/ticket/2080

On Tue, Oct 26, 2010 at 04:35:56PM -0700, Seth David Schoen wrote:
> https://www.cpj.org/internet/2010/10/protecting-journalists-from-firesheep.php
> 
> gives me a mixed-content warning even with a blanket cpj.org rewrite
> rule, which you can find in e-l-r.  I couldn't find any insecure
> media in the Media tab.
> 
> Live HTTP Headers similarly doesn't reveal _any_ attempts to access
> non-HTTPS content on that page, but Wireshark does.  The offending
> access is to something that Live HTTP Headers believes has been
> rewritten as HTTPS: any one of the following
> 
> http://cpj.org/css/images/header1.jpg
> http://cpj.org/css/images/header2.jpg
> http://cpj.org/css/images/header3.jpg
> http://cpj.org/css/images/header4.jpg
> http://cpj.org/css/images/header5.jpg
> http://cpj.org/css/images/header6.jpg
> 
> depending on when you access the page.
> 
> This reference is generated from the CSS stylesheet
> 
> https://cpj.org/css/styles.css
> 
> which contains the CSS code
> 
> #header {
> 	background-color: #4d4d4d;
> 	background-image: url(/cgi-bin/image.cgi);
> 	height: 133px;
> 	cursor: pointer;
> }
> 
> https://cpj.org/cgi-bin/image.cgi is a CGI script which generates
> a redirect (via 302 with Location header) to one of the six insecure
> image URLs mentioned above.  For some reason, the image then gets
> loaded insecurely even though Live HTTP Headers thinks it's been
> rewritten.  Is this the connection re-use bug?
> 
> I'm using 0.2.3.development.1 with Firefox 3.6.11 and all of the rules
> from e-l-r.
> 
> -- 
> Seth Schoen
> Senior Staff Technologist                         schoen at eff.org
> Electronic Frontier Foundation                    https://www.eff.org/
> 454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list