[HTTPS-Everywhere] Hundreds of rulesets will need to be marked platform="mixedcontent" to disable them for Chromium users
Peter Eckersley
pde at eff.org
Tue Sep 25 18:10:26 PDT 2012
TL; DR: We need to mark every ruleset where blocking insecure (HTTP) JS and
CSS loads causes major rendering or UI breakage with the
platform="mixedcontent" attribute, to disable it in Chrome.
https://trac.torproject.org/projects/tor/ticket/6975
Recent versions of Chrome block mixed content (ie loading of HTTP scripts and
CSS from an HTTPS origin) by default. The notifications to the user about
this were initially loud but have become more subtle, so that now, the only
indications is a little shield icon in the address bar.
This is a great way to deal with site admins who use HTTPS intentionally, but
incorrectly. It causes problematic results for HTTPS Everywhere, which
often affects sites whose admins didn't necessarily expect users to come
in via HTTPS, or test it. In many cases, we can secure the top-level origin
but not the CDNs that host lots of static CSS and JS. On those sites, we
currently break rendering unless the user clicks the shield and asks to load
insecure content. This Chrome bug can be seen live at https://www.nytimes.com
or https://www.consumerreports.org.
The Chromium team has decided they won't offer us any work arounds to forcibly
perform insecure script loads when we cause the origin to be HTTPS, or even
any way to change the UI so that users have a better experience on those
domains:
https://code.google.com/p/chromium/issues/detail?id=144637
(in their defense, there are some corner cases, albeit fairly rare ones, where
HTTPS+mixed content for some URLs would be less secure than straight HTTP for those
URLs)
We have a ticket for the giant task of finding and marking all the rulesets
that will need this change:
https://trac.torproject.org/projects/tor/ticket/6975
We also need new Chrome UI to let power users reenable these rulesets, if they
prioritise privacy/security over correct page rendering:
https://trac.torproject.org/projects/tor/ticket/6977
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list