HTTPS Everywhere breaks the YouTube JS API

See bottom of bug report at https://code.google.com/p/swfobject/issues/detail?id=332

Trac:
Username: raylu

added component::https everywhere/eff-https everywhere httpse-ruleset-bug owner::pde priority::medium reporter::raylu severity::normal status::new type::defect labels

Trac:
Component: - Select a component to EFF-HTTPS Everywhere
Owner: N/A to pde

A possibly-related bug report: !https://mail1.eff.org/pipermail/https-everywhere-rules/2012-February/000992.html

Trac:
Keywords: N/A deleted, youtube added

Trac:
Keywords: youtube deleted, httpse-ruleset-bug added

ari--e reported some research on this via IRC. Apparently it seems to be caused by Youtube's JS doing DOM introspection of a .src attribute to learn the URI scheme of the player iframe. ari--e says that if HTTPS E rewrites the iframe, the DOM .src attribute still indicates "http". Interestingly, when images are rewritten the DOM .src attirbute is HTTPS.

We need to investigate whether this is dependent on which API pathway the rewrites occurs on, and whether the #3190 (moved) patch landing in FF 20 changes the situation.

ari-_-e is working on a clean/simple reproduction case for this.

ari-_-e proposed a test case here:

http://bpaste.net/show/88051/

You can run it here:

http://reworld.org/bugs/httpse-bug-4408.html

See also this discussion regarding the fact that DOM .src attributes will be unrewritten in the Chrome port of HTTPS Everywhere right now.

Set all open tickets without a severity to "Normal"

Trac:
Severity: N/A to Normal

mentioned in issue #6352 (moved)

moved to tpo/applications/https-everywhere-eff#4408 (closed)