Opened 9 years ago

Last modified 3 years ago

#4408 new defect

HTTPS Everywhere breaks the YouTube JS API

Reported by: raylu Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords: httpse-ruleset-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Child Tickets

#6352assignedzyanprovide way of checking if rules are enabled from the calling web pageHTTPS Everywhere/EFF-HTTPS Everywhere

Change History (8)

comment:1 Changed 9 years ago by nickm

Component: - Select a componentEFF-HTTPS Everywhere
Owner: set to pde

comment:2 Changed 9 years ago by pde

A possibly-related bug report:

comment:3 Changed 8 years ago by pde

Keywords: youtube added

comment:4 Changed 8 years ago by mikeperry

Keywords: httpse-ruleset-bug added; youtube removed

comment:5 Changed 8 years ago by pde

ari-_-e reported some research on this via IRC. Apparently it seems to be caused by Youtube's JS doing DOM introspection of a .src attribute to learn the URI scheme of the player iframe. ari-_-e says that if HTTPS E rewrites the iframe, the DOM .src attribute still indicates "http". Interestingly, when images are rewritten the DOM .src attirbute is HTTPS.

We need to investigate whether this is dependent on which API pathway the rewrites occurs on, and whether the #3190 patch landing in FF 20 changes the situation.

ari-_-e is working on a clean/simple reproduction case for this.

comment:6 Changed 8 years ago by pde

ari-_-e proposed a test case here:

You can run it here:

comment:7 Changed 8 years ago by pde

See also this discussion regarding the fact that DOM .src attributes will be unrewritten in the Chrome port of HTTPS Everywhere right now.

comment:8 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.