Opened 10 years ago

Closed 10 years ago

Last modified 3 years ago

#2193 closed defect (implemented)

Facebook <securecookie> rules break apps

Reported by: pde Owned by: pde
Priority: Immediate Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


As reported here:

We now need to work out whether there is a subset of cookies that we can secure to prevent account hijacking while still allowing apps to function :(

Child Tickets

Change History (2)

comment:1 Changed 10 years ago by pde

Resolution: implemented
Status: newclosed

The workaround for 0.3.0 is to move the Facebook <securecookie> rules, along with an -> rule, into an optional, off-by-default Facebook+ ruleset. That ruleset either (1) breaks Facebook apps, or (2) may require you to accept a cert for, depending on your persepective.

Facebook have told us that this problem will eventually go away, but they can't commit to a timeline. When that happens, the Facebook+ ruleset can be merged back into the main one.

comment:2 Changed 3 years ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.