Opened 9 years ago

Closed 9 years ago

Last modified 18 months ago

#2193 closed defect (implemented)

Facebook <securecookie> rules break apps

Reported by: pde Owned by: pde
Priority: Immediate Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As reported here:

https://mail1.eff.org/pipermail/https-everywhere/2010-November/000475.html

We now need to work out whether there is a subset of cookies that we can secure to prevent account hijacking while still allowing apps to function :(

Child Tickets

Change History (2)

comment:1 Changed 9 years ago by pde

Resolution: implemented
Status: newclosed

The workaround for 0.3.0 is to move the Facebook <securecookie> rules, along with an http://apps.facebook.com -> https://apps.facebook.com rule, into an optional, off-by-default Facebook+ ruleset. That ruleset either (1) breaks Facebook apps, or (2) may require you to accept a www.facebook.com cert for apps.facebook.com, depending on your persepective.

Facebook have told us that this problem will eventually go away, but they can't commit to a timeline. When that happens, the Facebook+ ruleset can be merged back into the main one.

comment:2 Changed 18 months ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.