Opened 9 years ago

Closed 6 years ago

#3104 closed defect (fixed)

Infinite loops in Facebook settings pages

Reported by: pde Owned by: pde
Priority: High Milestone: HTTPS-E 4 stable
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: #4286 Points:
Reviewer: Sponsor:


Facebook HTTPS support is broken in strange ways for users who haven't enabled the optional Facebook HTTPS setting.

For such users, pages like this one:

Redirect back to http. In the past, that was merely a security flaw, but recently the redirect changed from an HTTP redirect to a fast JavaScript redirect, which means that our loop detection code does not spot it. The redirection script is here: (note the hard-coded "http").

This is really Facebook's bug, but we should also consider what we can do about cases like this.

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by pde

A user who is experiencing this bug amounts to a low-key DOS against facebook -- around 250 kbps until they close the tab.

comment:2 Changed 9 years ago by pde

Parent ID: #4286

comment:3 Changed 7 years ago by micahlee

Milestone: HTTPS-E 4 stable

comment:4 Changed 6 years ago by zyan

Resolution: fixed
Status: newclosed

I think this should be fixed since FB is secure by default now.

Please re-open this bug if not.

Note: See TracTickets for help on using tickets.