Opened 16 months ago

Last modified 15 months ago

#27280 new defect

HTTPS Everywhere upgrade-insecure-header injection appears to be broken on 8.0a9 / 8.0a10

Reported by: cypherpunks3 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-8.0-issues, tbb-regression, noscript
Cc: gk, legind Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Replying to cypherpunks:

I compared the behavior between 8.0a8 and 8.0a9:

  • Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.
  • Go to a mixedcontent website (go to the github repository efforg/https-everywhere then search for mixedcontent and find recent edited one, here's an example of such a site
  • So open that site up while your browser console is opened, you can see that HTTPS-E injects an upgrade-insecure-requests header and everything is going through HTTPS now including scripts and css etc.

  • Open 8.0a9, and check the "Block all unencrypted requests" in the HTTPS-E popup.
  • Go to the previously mentioned site.
  • There doesn't appear to be any injection of upgrade-insecure-requests header, css broken etc as a result.

This doesn't affect Firefox Nightly 63a1.

Child Tickets

Change History (5)

comment:1 Changed 16 months ago by gk

Keywords: ff60-esr added

comment:2 Changed 16 months ago by cypherpunks3

Ticket #26548 was originally HTTPS Everywhere's injection of upgrade-insecure-requests header appears to be broken on 8.0a9 before being changed to → Some HTTPS Everywhere functionality appears to be broken on 8.0a9.

comment:3 Changed 16 months ago by cypherpunks3

Example of mixed content website is included in here: https://ghostbin.com/paste/pouve/raw

comment:4 Changed 15 months ago by cypherpunks3

This problem doesn't happen when NoScript is disabled.

What's happening is that basically NoScript blocks scripts by using the CSP, and HTTPS Everywhere does this as well using CSP so maybe there's some conflict. In any case this seems to happen even in the Standard security setting, so there may be something else.

comment:5 Changed 15 months ago by gk

Keywords: tbb-8.0-issues tbb-regression noscript added; ff60-esr removed
Note: See TracTickets for help on using tickets.