Opened 6 months ago
Last modified 5 months ago
#27280 new defect
HTTPS Everywhere upgrade-insecure-header injection appears to be broken on 8.0a9 / 8.0a10
Reported by: | cypherpunks3 | Owned by: | tbb-team |
---|---|---|---|
Priority: | Medium | Milestone: | |
Component: | Applications/Tor Browser | Version: | |
Severity: | Normal | Keywords: | tbb-8.0-issues, tbb-regression, noscript |
Cc: | gk, legind | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description
Replying to cypherpunks:
I compared the behavior between 8.0a8 and 8.0a9:
- Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.
- Go to a mixedcontent website (go to the github repository efforg/https-everywhere then search for mixedcontent and find recent edited one, here's an example of such a site
- So open that site up while your browser console is opened, you can see that HTTPS-E injects an upgrade-insecure-requests header and everything is going through HTTPS now including scripts and css etc.
- Open 8.0a9, and check the "Block all unencrypted requests" in the HTTPS-E popup.
- Go to the previously mentioned site.
- There doesn't appear to be any injection of upgrade-insecure-requests header, css broken etc as a result.
This doesn't affect Firefox Nightly 63a1.
Child Tickets
Change History (5)
comment:1 Changed 6 months ago by
Keywords: | ff60-esr added |
---|
comment:2 Changed 6 months ago by
comment:3 Changed 6 months ago by
Example of mixed content website is included in here: https://ghostbin.com/paste/pouve/raw
comment:4 Changed 5 months ago by
This problem doesn't happen when NoScript is disabled.
What's happening is that basically NoScript blocks scripts by using the CSP, and HTTPS Everywhere does this as well using CSP so maybe there's some conflict. In any case this seems to happen even in the Standard security setting, so there may be something else.
comment:5 Changed 5 months ago by
Keywords: | tbb-8.0-issues tbb-regression noscript added; ff60-esr removed |
---|
Note: See
TracTickets for help on using
tickets.
Ticket #26548 was originally
HTTPS Everywhere's injection of upgrade-insecure-requests header appears to be broken on 8.0a9
before being changed to →Some HTTPS Everywhere functionality appears to be broken on 8.0a9
.