[HTTPS-Everywhere] Help needed: Disabling 3,080 rulesets
Jacob Hoffman-Andrews
jsha at eff.org
Wed Feb 11 12:59:32 PST 2015
On 02/11/2015 12:04 PM, Mike Perry wrote:
> Out of curiosity, did you also check for rules that were damaged by
> https://bugzilla.mozilla.org/show_bug.cgi?id=878890?
No. The tool I'm using doesn't yet test for mixed content. Micah's
ruleset tests do, but I haven't successfully run them in a while. My
general feeling is that most rulesets with mixed content have been found
by users and fixed, although that may be much less true for the rules
that exist only in the development branch.
> You should be able to test that by setting
> security.mixed_content.block_active_content to false when testing
> rulesets, because the mixed content blocker blocks elements from https
> sites that get redirected by HTTPS-Everywhere into https. In the past,
> rules that tripped over that bug have been tagged with
> platform="mixedcontent". I ask because in Tor Browser, we've been also
> setting security.mixed_content.block_active_content to false, to allow
> HTTPS-Everywhere to enable rules that were broken specifically by that
> bug.
That's good to know, I didn't realize that Tor Browser has a different
mixed content setting. Doesn't that put users at greater risk, on sites
that aren't fixed up by HTTPS Everywhere?
More information about the HTTPS-Everywhere
mailing list