Opened 19 months ago

Last modified 5 months ago

#6975 assigned task

Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)

Reported by: pde Owned by: micahlee
Priority: critical Milestone:
Component: EFF-HTTPS Everywhere Version:
Keywords: Cc: palmer@…, mmacleod@…
Actual Points: Parent ID:
Points:

Description

Recent versions of Chromium and Chrome have implemented an automatic mechanism to block the loading of insecure HTTP scripts from HTTPS origins. At first there was a loud popup message whenever that happened, but now the only indication in the UI is a small shield in the address bar, which the user can click on to force the insecure scripts to load.

Google has replied "won't fix" to any UX or extension API requests we made about this: https://code.google.com/p/chromium/issues/detail?id=144637

As a result, we are going to need a major push to identify rulesets that break sites in Chrome because of this mechanism, and disable them on that platform. This ticket will track that task.


Child Tickets

TicketSummaryOwner
#6973HTTPS Everywhere for Chrome is preventing CR from loading correctlypde
#7238Chrome HTTPS Everywhere makes some iGoogle page widget breakpde
#7427Problem with the images on www.fmylife.compde
#7628Verizon Wireless site doesn't load correctlypde
#8216BBC iPlayer renders weirdlyMB
#8563Zend Download page broken/Partial contentpde
#8566Chrome - Wordpress.org support area broken (mixed content)pde
#8569Chrome - Dell website broken, mixed contentpde
#8584Chrome - Apple Support site broken (mixed content)pde
#8738Chrome - www.fbi.gov broken (mixed content)pde
#8774Disable mixed content rulesets on FF 23+micahlee

Attachments (1)

app.php (708 bytes) - added by Slavon 3 months ago.
http://volcano-vaporizer-reviews.com

Download all attachments as: .zip

Change History (10)

comment:1 Changed 19 months ago by pde

  • Cc palmer@… added

We can achieve this by adding platform="firefox" to all of these rulesets. But it's probably a better idea to make a new pseudoplatform, "mixed", for all HTTPS Everywhere ports where mixed content loads.

comment:2 Changed 19 months ago by pde

  • Type changed from defect to task

The Firefox master branch will currently consider rulesets marked platform="mixedcontent" enabled, while other platforms including Chrome will not.

https://gitweb.torproject.org/https-everywhere.git/commitdiff/0a56370cc952c096a0fdc2bf78fb554ad91aab64

comment:3 Changed 17 months ago by macleod199

  • Cc mmacleod@… added

comment:4 Changed 16 months ago by pde

Similar mixed content blocking is landing in Firefox so this is going to be an even higher priority.

MB has been labelling a lot of rulesets as "partial". I doubt this corresponds precisely to mixed content, but I wonder what would happen if we assumed that the "partial" rulesets should all be disabled on Chromium and whatever version of FF the mixed content blocking lands in.

comment:5 Changed 12 months ago by alphawolf

Is there a way to get a list of all the sites for which rules exists?  When I have free time, I'd be willing to systematically go through the list and create new tickets for affected sites.  Currently I'm just creating tickets as I encounter an issue.

Assuming I did this.. would you want a separate ticket per site, or should I "batch" them?

Would it be useful for me to learn the rule syntax, and perhaps correct them myself and provide a "patch".  If so, in what format would you like it?  Just a text file with the corrected rule, or an actual "patch" file?

Where does one even *find* the rules in Chrome??

comment:6 Changed 12 months ago by pde

  • Summary changed from Disable on Chromium all the rulesets where mixed content breaks things (!) to Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)

comment:7 Changed 8 months ago by micahlee

  • Owner changed from pde to micahlee
  • Status changed from new to assigned

This is basically fixed now because of #9196. We identified 754 rules in the stable branch that caused mixed content errors and marked them as platform="mixedcontent", and did a Firefox update.

I just need to test a new build of the Chromium extension with these same rules and if it looks good make a new release. I believe that this release can finally be the first stable Chromium release.

comment:8 Changed 6 months ago by Wisperbird

Https everywhere prevents FullPage screenshot.
But when you do a Visible Screenshot and disable "Https everywhere" in the resulting page,
then FullPage screenshot will work.

comment:9 Changed 5 months ago by micahlee

Over the summer Lisa Yao, our Google Summer of Code intern, helped write a bunch of code to do automatic ruleset tests to test for mixed content. Originally it was a mozilla-central mochitest, then moved into a standalone Firefox extension, and now finally it's been merged into the HTTPS Everywhere master branch.

I've updated the readme file with how to run the tests:

You can run ruleset tests by opening about:config and changing extensions.https_everywhere.show_ruleset_tests to true. Now when you open the HTTPS Everywhere context menu there will be a "Run HTTPS Everywhere Ruleset Tests" menu item.

When you run the tests, be prepared to let your computer run them for a really long time.

The tests take over your browser by opening a ton of tabs, waiting for them to load, and seeing if the Firefox MCB gets triggered. A lot more work can be done on them, and they can be used to detect a lot more than just mixed content. But that's all they do for now.

Note: See TracTickets for help on using tickets.