Opened 8 years ago

Closed 8 years ago

#3673 closed defect (fixed)

Jobvite inclusions render weirdly on dropbox.com

Reported by: pde Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: jgross@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by rransom

Component: - Select a componentEFF-HTTPS Everywhere
Owner: set to pde

comment:2 Changed 8 years ago by pde

Status: newaccepted

Most often this kind of thing is caused by the absence of referrers in HTTPS->HTTP requests, but in this instance dropbox is redirecting back to HTTP and we're respecting that, as indicated by this log message:

HTTPS Everywhere: Redirection loop trying to set HTTPS on:

http://www.dropbox.com/position?jvi=o6yHVfw0,Job

(falling back to HTTP)

comment:3 Changed 8 years ago by pde

Here are what I think are the relevant Live HTTP Headers, from after HTTPS-Everywhere has detected the loop and given up rewriting:

----------------------------------------------------------
http://www.dropbox.com/position?jvi=oQ1lVfwR,Job

GET /position?jvi=oQ1lVfwR,Job HTTP/1.1
Host: www.dropbox.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://hire.jobvite.com/CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&v=1
Cookie: gvc=MzA4NjE5Mjg4MjU0MDE2MjQ2ODkyMDQzNDgzOTAyNDE2MzU5NjY2; __utma=145599457.311659016731854700.1312234669.1312234669.1312234669.1; __utmb=145599457.5.10.1312234669; __utmc=145599457; __utmz=145599457.1312234669.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 01 Aug 2011 21:40:08 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Encoding: gzip
----------------------------------------------------------
http://hire.jobvite.com/CompanyJobs/Jobs.aspx?c=qD19Vfws&jvresize=http://www.dropbox.com/frameresize.htm&j=oQ1lVfwR,Job&k=Job

GET /CompanyJobs/Jobs.aspx?c=qD19Vfws&jvresize=http://www.dropbox.com/frameresize.htm&j=oQ1lVfwR,Job&k=Job HTTP/1.1
Host: hire.jobvite.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://www.dropbox.com/position?jvi=oQ1lVfwR,Job
Cookie: ASP.NET_SessionId=25anfp55pjrmhk55yhioiurf; __utma=197432630.1540392077.1312234672.1312234672.1312234672.1; __utmb=197432630.15.10.1312234672; __utmc=197432630; __utmz=197432630.1312234672.1.1.utmcsr=dropbox.com|utmccn=(referral)|utmcmd=referral|utmcct=/jobs; __utmv=197432630.|1=UserId=07f72031-ce41-4b45-9acd-3c0ee4a6f203=1,2=CompanyId=qD19Vfws=1; guestidc=07f72031-ce41-4b45-9acd-3c0ee4a6f203

HTTP/1.1 302 Object Moved
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 01 Aug 2011 21:40:09 GMT
Content-Length: 155
----------------------------------------------------------
http://hire.jobvite.com/CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1

GET /CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1 HTTP/1.1
Host: hire.jobvite.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://www.dropbox.com/position?jvi=oQ1lVfwR,Job
Cookie: ASP.NET_SessionId=25anfp55pjrmhk55yhioiurf; __utma=197432630.1540392077.1312234672.1312234672.1312234672.1; __utmb=197432630.15.10.1312234672; __utmc=197432630; __utmz=197432630.1312234672.1.1.utmcsr=dropbox.com|utmccn=(referral)|utmcmd=referral|utmcct=/jobs; __utmv=197432630.|1=UserId=07f72031-ce41-4b45-9acd-3c0ee4a6f203=1,2=CompanyId=qD19Vfws=1; guestidc=07f72031-ce41-4b45-9acd-3c0ee4a6f203

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 01 Aug 2011 21:40:09 GMT
Content-Length: 22590
----------------------------------------------------------
https://www.dropbox.com/frameresize.htm?height=1263

GET /frameresize.htm?height=1263 HTTP/1.1
Host: www.dropbox.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://hire.jobvite.com/CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1
Cookie: gvc=MzA4NjE5Mjg4MjU0MDE2MjQ2ODkyMDQzNDgzOTAyNDE2MzU5NjY2; __utma=145599457.311659016731854700.1312234669.1312234669.1312234669.1; __utmb=145599457.6.10.1312234669; __utmc=145599457; __utmz=145599457.1312234669.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 01 Aug 2011 21:40:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Encoding: gzip
----------------------------------------------------------

Joe, could the problem have anything to do with that last frameresize request? Might that behave differently when we send it over https for some reason?

comment:4 Changed 8 years ago by pde

Summary: Jobvite inclusions broken on dropbox.comJobvite inclusions render weirdly on dropbox.com

comment:5 Changed 8 years ago by pde

Resolution: fixed
Status: acceptedclosed

This commit appears to fix the problem:

https://gitweb.torproject.org/https-everywhere.git/commitdiff/72056be0dcf2d74e23fac9feff798e1bb841b670

On the Dropbox end, I should note that the redirects back to HTTP for these top level pages may be uncessary. It's the frameresize script that's suffering from the problem (Possibly because the Referrer isn't actually being sent? Although it's listed in the headers above I would want to see serverside logs to see if it's really there).

Note: See TracTickets for help on using tickets.