Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#15763 closed defect (fixed)

Need whitelist entry for www.fark.com and total.fark.com

Reported by: bit0mike Owned by:
Priority: Medium Milestone: HTTPS-E next Chrome release
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Short version: HTTPS Anywhere now breaks many form submissions on www.fark.com and total.fark.com, and we need a whitelist rule.

Longer version: our desktop site's ads cannot load over HTTPS, so we have to unfortunately run that site HTTP to avoid mixed-content warnings.  Google's ad team, and third party ad networks, apparently don't have the same urgency as Google's Chrome team when it comes to encouraging HTTPS use...

We do now have a way to pay a small monthly amount to turn ads off yet still support the site (BareFark), and anyone that buys that gets an SSL version of the site as a perk, and is forcibly redirected to it if they hit it via plaintext.  To make ads work though, we have to push everyone else back to the plaintext version.

Unfortunately, this combined with HTTPS Anywhere breaks our Post-Redirect-Get form submission logic.  The POST always goes to HTTPS, caches the form variables, then redirects to a GET which then retrieves those variables (and clears the cached version to avoid double-submits).  HTTPS Anywhere then tries to redirect that GET back to an HTTPS version, which causes the form variables to be lost and the overall POST to fail.  Sad trombone.

Fortunately our mobile ad networks don't have the limitation of being HTTP-only, so, we do NOT need a whitelist rule for m.fark.com, m.total.fark.com, or our images host img.fark.net.  We already forcibly redirect all mobile hits over to HTTPS, though we aren't quite yet using HSTS to do it.  (See, we're at least trying...)

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by bit0mike

OK, ignore the part where I mistyped "HTTPS Anywhere" instead of "HTTPS Everywhere".  Or if I put this in the wrong ticket queue.  Derp!

Also, if there is some kind of header I can send to tell HTTPS-Everywhere to lay off and that I really do know what I'm doing by forcing HTTP on occasion, kinda like an HSTS header in reverse, that would be awesome, because then I can remove it at our end when we're no longer forced to do that.

comment:2 Changed 3 years ago by jsha

Resolution: fixed
Status: newclosed

Hi Mike! Thanks for working on HTTPS for Fark. BTW, did you see Google's recent announcement that they'll be supporting HTTPS for ads? Hopefully that will help.

I've disabled the Fark rule for now. When you've got HTTPS working better, it would be awesome if you could re-enable the rule (it's at https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Fark.xml). Or just file another issue and we'll bring it up to date.

comment:3 Changed 3 years ago by bit0mike

Thanks!

I did see that, though if I remember right, it was more a "can" do HTTPS than a "must", and it's still a ways off.  Less helpful, short term.  :p

Note: See TracTickets for help on using tickets.