HTTPS Everywhere upgrade-insecure-header injection appears to be broken on 8.0a9 / 8.0a10

[cypherpunks3]

Replying to cypherpunks:

I compared the behavior between 8.0a8 and 8.0a9:

• Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.

• Go to a mixedcontent website (go to the github repository efforg/https-everywhere then search for mixedcontent and find recent edited one, here's an example of such a site

• So open that site up while your browser console is opened, you can see that HTTPS-E injects an upgrade-insecure-requests header and everything is going through HTTPS now including scripts and css etc.

---

• Open 8.0a9, and check the "Block all unencrypted requests" in the HTTPS-E popup.

• Go to the previously mentioned site.

• There doesn't appear to be any injection of upgrade-insecure-requests header, css broken etc as a result.

This doesn't affect Firefox Nightly 63a1.

[cypherpunks3]

Ticket #26548 was originally HTTPS Everywhere's injection of upgrade-insecure-requests header appears to be broken on 8.0a9 before being changed to → Some HTTPS Everywhere functionality appears to be broken on 8.0a9.

[cypherpunks3]

Example of mixed content website is included in here: ​https://ghostbin.com/paste/pouve/raw

[cypherpunks3]

This problem doesn't happen when NoScript is disabled.

What's happening is that basically NoScript blocks scripts by using the CSP, and HTTPS Everywhere does this as well using CSP so maybe there's some conflict. In any case this seems to happen even in the Standard security setting, so there may be something else.