HTTPS Everywhere breaks Disqus commenting

[cypherpunks]

When HTTPS Everywhere is enabled commenting on sites that use the Disqus commenting service is not possible, due to the submit button not loading. This problem also occurs on the Disqus blog, for instance at ​http://blog.disqus.com/post/19805413105/introducing-orbital

The JavaScript console shows the following error message:

---

Unable to post message to ​http://mediacdn.disqus.com. Recipient has origin ​https://securecdn.disqus.com.

---

[cypherpunks]

Disqus private beta is affected by this issue as well. Chrome 19.0.1084.1 dev on Ubuntu Linux

Here are c&p of errors in console with stacktraces expanded

Unable to post message to http://disqus.com. Recipient has origin https://disqus.com.
 embed.js:43
d.sendMessage embed.js:43
f embed.js:51
trigger embed.js:46
d embed.js:18
DISQUS.trigger.target embed.js:18
Unable to post message to http://disqus.com. Recipient has origin https://disqus.com.
 embed.js:43
d.sendMessage embed.js:43
f embed.js:51
trigger embed.js:46
d embed.js:41
DISQUS.trigger.target embed.js:41
Unable to post message to http://disqus.com. Recipient has origin https://disqus.com.
 embed.js:43
d.sendMessage embed.js:43
f embed.js:51
trigger embed.js:46
d embed.js:18
(anonymous function) embed.js:18
Unable to post message to http://disqus.com. Recipient has origin https://disqus.com.
 embed.js:43
d.sendMessage embed.js:43
f embed.js:51
trigger embed.js:46
d embed.js:41
(anonymous function) embed.js:41

[pde]

This should reportedly be fixed by Negres's recent changes in git master.

[pde]

Which will be released as 3.0development.2; this bug was not in 2.0.1.  Closing for now.

[cypherpunks]

@pde: when fix will be available for Chrome extension?

[pde]

Janne Maekelae sent another report of the Disqus rulesets breaking comments in 3.0development.2, so reopening this :(

Here: https://torrentfreak.com/bittorrent-to-rebrand-itself-as-gyre-120505/

[pde]

Janne, I was able to post a Disqus comment on that page using 3.0development.2.  Can you reproduce this problem in a clean browser profile with a fresh install of HTTPS Everywhere and no other extensions?

[gh1234]

torrentfreak.com works great for me, too.
But I have issues with

​http://www.omgubuntu.co.uk/2012/05/ea-games-arrive-in-the-ubuntu-software-center/

While HTTPS Everywhere is enabled I do not even see the comments below the article.
The devtools show the following error:

Unable to post message to http://disqus.com. Recipient has origin https://disqus.com.
a.sendMessage   securecdn.disqus.com/1336587756/build/next/embed.js:20
f               securecdn.disqus.com/1336587756/build/next/embed.js:28
trigger         securecdn.disqus.com/1336587756/build/next/embed.js:23
DISQUS.trigger.target

[pde]

I agree that 3.0development.4 is broken on that page.

[pde]

(by which I mean, git master)

[pde]

I've disabled the Disqus ruleset in both the 2.0 and master git branches, which means this should be worked-around in the next releases. However, it would be quite a pity that if can't figure out a reliable way to secure all of these conversations.

To that end I've also contacted Disqus to see if any of their developers can take a look at the ruleset...

[pde]

Disqus tech support wrote back to say:

Thanks for bringing this to our attention. I've forwarded this email to our developers and we're already having some conversations (and have a few related internal tickets) that should help resolve this. There shouldn't be any changes you'll need to make to the plugin itself, we'll work on this on our end.

Regarding timeline, we're currently heads-down on getting Disqus 2012 out the door so this likely won't be completed in the immediate near-term but we are
looking to turn our sights on issues like this post-D12 launch.

[pde]

I will proceeed with disabling the Disqus ruleset unless and until we here back from them that things are more consistently safe on the server side.

[pde]

This should really and truly be fixed in today's stable and dev releases.