#26548 closed defect (fixed)

Some HTTPS Everywhere functionality appears to be broken on 8.0a9

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201808
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I compared the behavior between 8.0a8 and 8.0a9:

  • Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.
  • So open that site up while your browser console is opened, you can see that HTTPS-E injects an upgrade-insecure-requests header and everything is going through HTTPS now including scripts and css etc.

  • Open 8.0a9, and check the "Block all unencrypted requests" in the HTTPS-E popup.
  • Go to the previously mentioned site.
  • There doesn't appear to be any injection of upgrade-insecure-requests header, css broken etc as a result.

Child Tickets

Change History (13)

comment:1 Changed 12 months ago by gk

Status: newneeds_information

And this works with a vanilla Firefox 60.1.0 ESR?

comment:2 in reply to:  1 Changed 12 months ago by cypherpunks

Status: needs_informationnew

Replying to gk:

And this works with a vanilla Firefox 60.1.0 ESR?

Tested on nightly and it works, should be the same for 60 ESR I suppose.

comment:3 Changed 12 months ago by gk

Keywords: ff60-esr added

comment:4 Changed 12 months ago by cypherpunks

Forgot (again) to precise: This was tested on Linux (so you can be reassured that this may not have to do with the other weird webext Windows bugs).

comment:5 Changed 12 months ago by jscott

I can't reproduce this on GNU/Linux. In fact, a search at DuckDuckGo reveals that upgrade-insecure-requests: 1, for me, is set, even without having to choose "Block all unencrypted requests" beforehand.

comment:6 in reply to:  5 Changed 12 months ago by cypherpunks

Replying to jscott:

I can't reproduce this on GNU/Linux.

Did you test with the specific site that you can find in that privatebin pasta?

comment:7 Changed 12 months ago by cypherpunks

Summary: HTTPS Everywhere's injection of upgrade-insecure-requests header appears to be broken on 8.0a9Some HTTPS Everywhere functionality appears to be broken on 8.0a9

It's not just that thing that appears to be broken, if you try the HTTP Nowhere mode and type (for example) hardware.fr and hit enter then you won't get redirected to the functional host which is www.hardware.fr and you'll instead be served an error page despite the rule <rule from="^http://hardware\.fr/" to="https://www.hardware.fr/"/> https://www.eff.org/https-everywhere/atlas/domains/hardware.fr.html

comment:8 Changed 10 months ago by cypherpunks3

This isn't a Tor Browser specific bug, it's a bug in HTTPS-E itself that only happens on certain Firefoxes. See https://github.com/EFForg/https-everywhere/issues/16358 A one-line fix has been submitted: https://github.com/EFForg/https-everywhere/pull/16359

You can then close this ticket after it gets merged.

comment:9 Changed 10 months ago by cypherpunks3

Please close this ticket: It has been merged https://github.com/EFForg/https-everywhere/pull/16359

comment:10 in reply to:  9 Changed 10 months ago by gk

Replying to cypherpunks3:

Please close this ticket: It has been merged https://github.com/EFForg/https-everywhere/pull/16359

Thanks. I'll do so once a new HTTPS-Everywhere version containing the fix is out and we ship it.

comment:11 Changed 10 months ago by gk

Keywords: TorBrowserTeam201808 added
Resolution: fixed
Status: newclosed

Fixed with the HTTPS-Everywhere version bump in tor-browser-build on master (commit a848723ce2511b187a43f315f3a3315ec7e86bff).

comment:12 Changed 10 months ago by cypherpunks3

Resolution: fixed
Status: closedreopened

The upgrade-insecure-requests header part of this ticket is still unfixed, only the thing mentioned in comment:7 is.

comment:13 in reply to:  12 Changed 10 months ago by gk

Resolution: fixed
Status: reopenedclosed

Replying to cypherpunks3:

The upgrade-insecure-requests header part of this ticket is still unfixed, only the thing mentioned in comment:7 is.

Please open a new ticket if that's a Tor Browser issue.

Note: See TracTickets for help on using tickets.