[HTTPS-Everywhere] https-everywhere bug with channels not attached to a window

Peter Eckersley pde at eff.org
Tue May 8 14:11:01 PDT 2012 

Hi Loic,

The code path you are looking at is HTTPS Everywhere's attempt to work out
which window a rewrite pertains to, in order to update the state of the
toolbar context menu (there's a structure called an ApplicableList or alist
that is used to keep track of this).  I know that XHR requests are not
necessarily associated with a Window in Mozilla's internal state, which is why
that codepath sometimes returns a null ApplicableList.

That's not the reason HTTPS Everywhere is messing up your XHR.  The
real problem is this bug:

https://trac.torproject.org/projects/tor/ticket/3190

and this one, which is preventing a sensible workaround:

https://trac.torproject.org/projects/tor/ticket/5682

I was hoping that Justin Samuel could take a look at that second bug, but he
told me that he's going to be prohibitively busy for the next few months, so
someone else is going to need to wade in and fix #5682.

On Tue, May 08, 2012 at 02:25:17PM -0400, Loic J. Duros wrote:
> Hello:
> 
> I'd like to report an issue with Https Everywhere. I'm not sure if I
> can report it to a bug tracker directly, and whether this can be
> reproduced for any url switched from http to https.
> 
> Https-Everywhere seems to assume that there is a DOM window attached
> to all channels, and it fails (returning null) when that's not the
> case. It will log "DOMWindow exploded" when that's the case.
> 
> To reproduce this issue, you must make an xhr request directly from
> code that is not attached to a window. This is common practice, and
> is the case if an extension is performing a request to fetch data
> without a DOM window using nsIXMLHttpRequest:
> https://developer.mozilla.org/en/nsIXMLHttpRequest
> 
> Attempting to perform an xhr request on such a url as:
> http://pagead2.googlesyndication.com/pagead/show_ads.js will never
> get through:
> 
>         var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
>         .createInstance(Ci.nsIXMLHttpRequest);
> 
>         // request made synchronous for the sake of the demo
>         req.open('GET',
> 'http://pagead2.googlesyndication.com/pagead/show_ads.js', false);
>         req.send(null);
> 
> My extension (GNU LibreJS) relies on such XHR requests to analyze
> JavaScript before a response even gets parsed, and as a temporary
> fix I've added a 15 second time out to cancel the piece of code that
> analyzes the script, since it's not being returned at all. Since we
> are planning on adding LibreJS to GNU IceCat and that GNU IceCat
> runs https-everywhere, it is for us an important issue, and if you
> know of a potential way to address this, it would be very helpful!
> :-)
> 
> Thanks,
> 
> Loic
> 
> 
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list