[HTTPS-Everywhere] Incompatibilities between HTTPS Everywhere for Chrome and Keep {My, More} Opt Outs
Peter Eckersley
pde at eff.org
Fri Nov 2 18:09:00 PDT 2012
Sorry, that was the wrong line number:
https://gitweb.torproject.org/https-everywhere.git/blob/c343f230a49d960dba90424799c3bacc2325fc94:/chromium/background.js#l145
On Fri, Nov 02, 2012 at 06:06:08PM -0700, Peter Eckersley wrote:
> Our cookie wrangling code is here:
>
> https://gitweb.torproject.org/https-everywhere.git/blob/c343f230a49d960dba90424799c3bacc2325fc94:/chromium/background.js#l199
>
> it looks as though the way we modify the secure flag is by recreating the
> whole cookie, which might be the wrong way to do it...
>
> On Sat, Nov 03, 2012 at 12:56:47AM +0100, Mike West wrote:
> > -BCC other googlers.
> >
> > Keep My Opt-Outs is me. Keep More Opt-Outs is a fork, as is "Protect My
> > Choices" and probably others. :)
> >
> > KMOO watches for changes to cookies and overwrites them if they diverge
> > from the opt-out text specified in the registry. If the name and domain
> > match, it should simply leave them alone:
> > http://code.google.com/p/chrome-opt-out-extension/source/browse/trunk/chrome/KMOO.Cookie.js#97
> >
> > Is HTTPSEverywhere modifying the cookies in ways other than setting the
> > secure flag?
> >
> > --
> > Mike West <mkwst at google.com>, Developer Advocate
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >
> >
> > On Sat, Nov 3, 2012 at 12:36 AM, Peter Eckersley <pde at eff.org> wrote:
> >
> > > (Sorry for CCing a bunch of googlers, hopefully one of you can route this
> > > to
> > > real KMOO developer(s))
> > >
> > > In Chrome, it seems that HTTPS Everywhere has an incompatibility with two
> > > extensions, called Keep More Opt Outs and Keep My Opt Outs. These
> > > extensions
> > > attempt to police and preserve "opt-out" cookies for a bunch of advertising
> > > and tracking domains.
> > >
> > > Unfortunately they seem to fight against HTTPS Everywhere's attempts to
> > > turn
> > > on the "secure" flag in some of those cookies. I haven't looked closely at
> > > the precise API hooks through which that's occurring, but it can be
> > > discussed
> > > in this ticket:
> > >
> > > https://trac.torproject.org/projects/tor/ticket/7099
> > > (make an account to post there, or use the anonymous one which is
> > > "cypherpunks" / "writecode")
> > >
> > > In my experience, reproducing is faster and easier with Keep More Opt Outs;
> > > just install the two extensions, browse around for a bit, and watch the
> > > infinite loops start.
> > >
> > > --
> > > Peter Eckersley pde at eff.org
> > > Technology Projects Director Tel +1 415 436 9333 x131
> > > Electronic Frontier Foundation Fax +1 415 436 9993
> > >
>
> --
> Peter Eckersley pde at eff.org
> Technology Projects Director Tel +1 415 436 9333 x131
> Electronic Frontier Foundation Fax +1 415 436 9993
>
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list