[HTTPS-Everywhere] Mixed Content Blocker
Drake, Brian
brian at drakefamily.tk
Fri Jan 17 19:19:11 PST 2014
Here is the first post to elaborate on my previous comment; later, I want
to try to summarise the main discussion/decisions/commits on this, because
it seems to be spread over too many places.
This post is to discuss what seems like a fundamental flaw in the current
handling of mixed content. Can someone confirm that it is indeed flawed, or
explain why it is not?
Mixed content is where a page loaded over HTTPS makes a request over HTTP.
Let us divide browsers into three types, based on how they handle mixed
content.
1. Immediately block the HTTP request.
2. Handle the request normally, up to the point where it would be sent over
the network, then if it is still HTTP, block it.
3. Handle the request normally.
The higher the browser type is, the more likely it is to handle an HTTPS
page correctly (that is, to avoid breaking the page). But the less likely
it is to be secure.
Currently, Firefox and Chrome offer a choice between being type 1 and type
3 (for Firefox, at least, it depends on whether it’s active or display
content, but that’s irrelevant to this post). We’re trying to get them to
be type 2 instead of type 1. But what would happen if we succeeded at that?
With HTTPS Everywhere, the highest priority is to handle the page
correctly; after that, we try to be secure. Sometimes we can do this on
type 2 and type 3 browsers, but not on type 1 (all the required resources
are available over HTTPS, if only the browser would let us rewrite the
requests). And sometimes we can do this on type 3 browsers only (at least
some required resources are available only over HTTP).
In either case, we need a way of restricting when the rule applies. Here’s
where I don’t fully understand how things work now. The best I can say is
this:
1. We handle both cases by adding platform="mixedcontent" and restricting
the rules to type 3 browsers.
2. If type 2 browsers became available, there would be no easy way of
telling which rules should be enabled on those browsers, nor would there be
any way of actually doing so (while keeping those rules disabled on type 1
browsers).
--
Brian Drake
All content created by me:
Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>©
2014 Brian Drake. All rights reserved.
On Sat, Jan 18, 2014 at 0258 (UTC), Drake, Brian <brian at drakefamily.tk>wrote:
> On Wed, Jan 15, 2014 at 0622 (UTC), Jacob Hoffman-Andrews <
> jsha at newview.org> wrote:
>
>> [snip]
>>
>
> That’s a nice idea, but it’s still not clear how things work now, and I
> think it’s fundamentally flawed anyway (that’s in addition to whatever
> flaws the browsers have). I’m going to make a couple more posts today to
> elaborate on this.
>
> [snip]
>
> --
> Brian Drake
>
> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140118/418247bf/attachment.html>
More information about the HTTPS-Everywhere
mailing list