[HTTPS-Everywhere] Adding exceptions

Yang Zhang yanghatespam at gmail.com
Tue Jan 22 12:05:13 PST 2013 

Over the past couple months this issue has persisted.  I looked into
it some more recently, and here is the information so far:

- I'm using Chrome

- The website in question is already accessed via HTTPS only; no HTTP in sight

- The web application is actually just ReviewBoard

- The failing request/response is an AJAX POST

- With HTTPS Everywhere disabled, everything works fine always

- With it enabled, I get an error frequently (but not always)

- When I compare the requests made with/without HTTPS Everywhere, they
are identical

POST /review/api/json/reviewrequests/8167/reviews/draft/publish/ HTTP/1.1
Host: XXX
Connection: keep-alive
Content-Length: 31
Cache-Control: no-cache
Authorization: Basic XXX
Pragma: no-cache
Origin: https://XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.17 (KHTML,
like Gecko) Chrome/24.0.1312.52 Safari/537.17
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*
X-Requested-With: XMLHttpRequest
Referer: https://XXX/review/r/8167/diff/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rbsessionid=XXX; collapsediffs=True

- I found that the error is that the response does not show up
correctly in Chrome. Using the built-in Chrome Developer Tools
console's Network tab, I see nothing under the Response sub-tab ("This
request has no response data available"), and Chrome itself generally
does not register this as having come through successfully (e.g. the
page JS doesn't get the callback, the row in the Network tab is
highlighted red with "(fail)" under Status, etc.)

- The bizarre part: I can see response headers under the Headers sub-tab:

HTTP/1.1 200 OK
Date: Tue, 22 Jan 2013 19:55:23 GMT
Server: Apache/2.2.22 (Ubuntu)
Content-Length: 14
Content-Language: en-us
Expires: Tue, 22 Jan 2013 19:55:24 GMT
Vary: Cookie,Accept-Language
Last-Modified: Tue, 22 Jan 2013 19:55:24 GMT
Cache-Control: max-age=0
Content-Type: application/json
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive

I'll try to reproduce this outside the context of ReviewBoard, but I
thought I'd attempt asking again here to see if the above details
might shed any light. Thanks.

On Sun, Nov 18, 2012 at 8:55 PM, Peter Eckersley <pde at eff.org> wrote:
> https://www.eff.org/https-everywhere/faq#bugs
>
> Note however that if there's a bug which (like this one) causes the
> secure cookie flag to be set somewhere that it shouldn't be set, turning of
> the probelmatic ruleset might not be enough.  Depending on how the web app is
> written you might have to log out of the site or even possibly clear your
> cookies before normal behaviour resumes.
>
> On Sun, Nov 18, 2012 at 05:31:45PM -0800, Yang Zhang wrote:
>> Probably a very silly question but I can't find where/how to configure
>> the extension (again, using Chrome here)...any hints?
>>
>> On Sun, Nov 18, 2012 at 10:50 AM, Seth David Schoen <schoen at eff.org> wrote:
>> > Yang Zhang writes:
>> >
>> >> Would HTTPS Everywhere (for Chrome) consider adding the ability to
>> >> make exceptions for certain sites?
>> >>
>> >> I have not had the time to debug what's been happening with one
>> >> particular site of mine, but all I know at this point is that enabling
>> >> HTTPS Everywhere prevents it from working properly (it's a
>> >> Wordpress-based site, but for some reason Set-Cookie response headers
>> >> are not being executed).
>> >
>> > Hi,
>> >
>> > The software already has the ability for users to turn off rules if
>> > they're having trouble with them.  Also, we can take bug reports and
>> > eventually remove, disable, or modify rules if they appear to break
>> > particular sites.
>> >
>> > --
>> > Seth Schoen  <schoen at eff.org>
>> > Senior Staff Technologist                       https://www.eff.org/
>> > Electronic Frontier Foundation                  https://www.eff.org/join
>> > 454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
>>
>>
>>
>> --
>> Yang Zhang
>> http://yz.mit.edu/
>>
>> _______________________________________________
>> HTTPS-everywhere mailing list
>> HTTPS-everywhere at mail1.eff.org
>> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
> --
> Peter Eckersley                            pde at eff.org
> Technology Projects Director      Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993



-- 
Yang Zhang
http://yz.mit.edu/

More information about the HTTPS-everywhere mailing list