Opened 5 years ago

Closed 3 years ago

#6975 closed task (fixed)

Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)

Reported by: pde Owned by: micahlee
Priority: Very High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: palmer@…, mmacleod@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Recent versions of Chromium and Chrome have implemented an automatic mechanism to block the loading of insecure HTTP scripts from HTTPS origins. At first there was a loud popup message whenever that happened, but now the only indication in the UI is a small shield in the address bar, which the user can click on to force the insecure scripts to load.

Google has replied "won't fix" to any UX or extension API requests we made about this: https://code.google.com/p/chromium/issues/detail?id=144637

As a result, we are going to need a major push to identify rulesets that break sites in Chrome because of this mechanism, and disable them on that platform. This ticket will track that task.


Child Tickets

TicketStatusOwnerSummaryComponent
#6973closedpdeHTTPS Everywhere for Chrome is preventing CR from loading correctlyHTTPS Everywhere/EFF-HTTPS Everywhere
#7238closedpdeChrome HTTPS Everywhere makes some iGoogle page widget breakHTTPS Everywhere/HTTPS Everywhere: Chrome
#7427closedpdeProblem with the images on www.fmylife.comHTTPS Everywhere/EFF-HTTPS Everywhere
#7628closedpdeVerizon Wireless site doesn't load correctlyHTTPS Everywhere/EFF-HTTPS Everywhere
#8216closedMBBBC iPlayer renders weirdlyHTTPS Everywhere/EFF-HTTPS Everywhere
#8563closedpdeZend Download page broken/Partial contentHTTPS Everywhere/EFF-HTTPS Everywhere
#8566closedpdeChrome - Wordpress.org support area broken (mixed content)HTTPS Everywhere/HTTPS Everywhere: Chrome
#8569closedpdeChrome - Dell website broken, mixed contentHTTPS Everywhere/EFF-HTTPS Everywhere
#8584closedpdeChrome - Apple Support site broken (mixed content)HTTPS Everywhere/EFF-HTTPS Everywhere
#8738closedpdeChrome - www.fbi.gov broken (mixed content)HTTPS Everywhere/EFF-HTTPS Everywhere

Change History (10)

comment:1 Changed 5 years ago by pde

Cc: palmer@… added

We can achieve this by adding platform="firefox" to all of these rulesets. But it's probably a better idea to make a new pseudoplatform, "mixed", for all HTTPS Everywhere ports where mixed content loads.

comment:2 Changed 5 years ago by pde

Type: defecttask

The Firefox master branch will currently consider rulesets marked platform="mixedcontent" enabled, while other platforms including Chrome will not.

https://gitweb.torproject.org/https-everywhere.git/commitdiff/0a56370cc952c096a0fdc2bf78fb554ad91aab64

comment:3 Changed 5 years ago by macleod199

Cc: mmacleod@… added

comment:4 Changed 5 years ago by pde

Similar mixed content blocking is landing in Firefox so this is going to be an even higher priority.

MB has been labelling a lot of rulesets as "partial". I doubt this corresponds precisely to mixed content, but I wonder what would happen if we assumed that the "partial" rulesets should all be disabled on Chromium and whatever version of FF the mixed content blocking lands in.

comment:5 Changed 5 years ago by alphawolf

Is there a way to get a list of all the sites for which rules exists?  When I have free time, I'd be willing to systematically go through the list and create new tickets for affected sites.  Currently I'm just creating tickets as I encounter an issue.

Assuming I did this.. would you want a separate ticket per site, or should I "batch" them?

Would it be useful for me to learn the rule syntax, and perhaps correct them myself and provide a "patch".  If so, in what format would you like it?  Just a text file with the corrected rule, or an actual "patch" file?

Where does one even *find* the rules in Chrome??

comment:6 Changed 4 years ago by pde

Summary: Disable on Chromium all the rulesets where mixed content breaks things (!)Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)

comment:7 Changed 4 years ago by micahlee

Owner: changed from pde to micahlee
Status: newassigned

This is basically fixed now because of #9196. We identified 754 rules in the stable branch that caused mixed content errors and marked them as platform="mixedcontent", and did a Firefox update.

I just need to test a new build of the Chromium extension with these same rules and if it looks good make a new release. I believe that this release can finally be the first stable Chromium release.

comment:8 Changed 4 years ago by Wisperbird

Https everywhere prevents FullPage screenshot.
But when you do a Visible Screenshot and disable "Https everywhere" in the resulting page,
then FullPage screenshot will work.

comment:9 Changed 4 years ago by micahlee

Over the summer Lisa Yao, our Google Summer of Code intern, helped write a bunch of code to do automatic ruleset tests to test for mixed content. Originally it was a mozilla-central mochitest, then moved into a standalone Firefox extension, and now finally it's been merged into the HTTPS Everywhere master branch.

I've updated the readme file with how to run the tests:

You can run ruleset tests by opening about:config and changing extensions.https_everywhere.show_ruleset_tests to true. Now when you open the HTTPS Everywhere context menu there will be a "Run HTTPS Everywhere Ruleset Tests" menu item.

When you run the tests, be prepared to let your computer run them for a really long time.

The tests take over your browser by opening a ton of tabs, waiting for them to load, and seeing if the Firefox MCB gets triggered. A lot more work can be done on them, and they can be used to detect a lot more than just mixed content. But that's all they do for now.

comment:10 Changed 3 years ago by jsha

Resolution: fixed
Status: assignedclosed

It's been over a year, and most of the rulesets that break under MCB have been tagged. Additional ones will be fixed using the normal ruleset fix process.

Note: See TracTickets for help on using tickets.