[HTTPS-Everywhere] Incompatibilities between HTTPS Everywhere for Chrome and Keep {My, More} Opt Outs

Peter Eckersley pde at eff.org
Fri Nov 2 18:06:08 PDT 2012 

Our cookie wrangling code is here:

https://gitweb.torproject.org/https-everywhere.git/blob/c343f230a49d960dba90424799c3bacc2325fc94:/chromium/background.js#l199

it looks as though the way we modify the secure flag is by recreating the
whole cookie, which might be the wrong way to do it...

On Sat, Nov 03, 2012 at 12:56:47AM +0100, Mike West wrote:
> -BCC other googlers.
> 
> Keep My Opt-Outs is me. Keep More Opt-Outs is a fork, as is "Protect My
> Choices" and probably others. :)
> 
> KMOO watches for changes to cookies and overwrites them if they diverge
> from the opt-out text specified in the registry. If the name and domain
> match, it should simply leave them alone:
> http://code.google.com/p/chrome-opt-out-extension/source/browse/trunk/chrome/KMOO.Cookie.js#97
> 
> Is HTTPSEverywhere modifying the cookies in ways other than setting the
> secure flag?
> 
> --
> Mike West <mkwst at google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> 
> On Sat, Nov 3, 2012 at 12:36 AM, Peter Eckersley <pde at eff.org> wrote:
> 
> > (Sorry for CCing a bunch of googlers, hopefully one of you can route this
> > to
> > real KMOO developer(s))
> >
> > In Chrome, it seems that HTTPS Everywhere has an incompatibility with two
> > extensions, called Keep More Opt Outs and Keep My Opt Outs.  These
> > extensions
> > attempt to police and preserve "opt-out" cookies for a bunch of advertising
> > and tracking domains.
> >
> > Unfortunately they seem to fight against HTTPS Everywhere's attempts to
> > turn
> > on the "secure" flag in some of those cookies.  I haven't looked closely at
> > the precise API hooks through which that's occurring, but it can be
> > discussed
> > in this ticket:
> >
> > https://trac.torproject.org/projects/tor/ticket/7099
> > (make an account to post there, or use the anonymous one which is
> > "cypherpunks" / "writecode")
> >
> > In my experience, reproducing is faster and easier with Keep More Opt Outs;
> > just install the two extensions, browse around for a bit, and watch the
> > infinite loops start.
> >
> > --
> > Peter Eckersley                            pde at eff.org
> > Technology Projects Director      Tel  +1 415 436 9333 x131
> > Electronic Frontier Foundation    Fax  +1 415 436 9993
> >

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list