Opened 5 years ago

Closed 3 years ago

#6975 closed task (fixed)

Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)

Reported by: pde Owned by: micahlee
Priority: Very High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: palmer@…, mmacleod@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Recent versions of Chromium and Chrome have implemented an automatic mechanism to block the loading of insecure HTTP scripts from HTTPS origins. At first there was a loud popup message whenever that happened, but now the only indication in the UI is a small shield in the address bar, which the user can click on to force the insecure scripts to load.

Google has replied "won't fix" to any UX or extension API requests we made about this:

As a result, we are going to need a major push to identify rulesets that break sites in Chrome because of this mechanism, and disable them on that platform. This ticket will track that task.

Child Tickets

#6973HTTPS Everywhere for Chrome is preventing CR from loading correctlypde
#7238Chrome HTTPS Everywhere makes some iGoogle page widget breakpde
#7427Problem with the images on www.fmylife.compde
#7628Verizon Wireless site doesn't load correctlypde
#8216BBC iPlayer renders weirdlyMB
#8563Zend Download page broken/Partial contentpde
#8566Chrome - support area broken (mixed content)pde
#8569Chrome - Dell website broken, mixed contentpde
#8584Chrome - Apple Support site broken (mixed content)pde
#8738Chrome - broken (mixed content)pde

Change History (10)

comment:1 Changed 5 years ago by pde

  • Cc palmer@… added

We can achieve this by adding platform="firefox" to all of these rulesets. But it's probably a better idea to make a new pseudoplatform, "mixed", for all HTTPS Everywhere ports where mixed content loads.

comment:2 Changed 5 years ago by pde

  • Type changed from defect to task

The Firefox master branch will currently consider rulesets marked platform="mixedcontent" enabled, while other platforms including Chrome will not.

comment:3 Changed 5 years ago by macleod199

  • Cc mmacleod@… added

comment:4 Changed 5 years ago by pde

Similar mixed content blocking is landing in Firefox so this is going to be an even higher priority.

MB has been labelling a lot of rulesets as "partial". I doubt this corresponds precisely to mixed content, but I wonder what would happen if we assumed that the "partial" rulesets should all be disabled on Chromium and whatever version of FF the mixed content blocking lands in.

comment:5 Changed 4 years ago by alphawolf

Is there a way to get a list of all the sites for which rules exists?  When I have free time, I'd be willing to systematically go through the list and create new tickets for affected sites.  Currently I'm just creating tickets as I encounter an issue.

Assuming I did this.. would you want a separate ticket per site, or should I "batch" them?

Would it be useful for me to learn the rule syntax, and perhaps correct them myself and provide a "patch".  If so, in what format would you like it?  Just a text file with the corrected rule, or an actual "patch" file?

Where does one even *find* the rules in Chrome??

comment:6 Changed 4 years ago by pde

  • Summary changed from Disable on Chromium all the rulesets where mixed content breaks things (!) to Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)

comment:7 Changed 4 years ago by micahlee

  • Owner changed from pde to micahlee
  • Status changed from new to assigned

This is basically fixed now because of #9196. We identified 754 rules in the stable branch that caused mixed content errors and marked them as platform="mixedcontent", and did a Firefox update.

I just need to test a new build of the Chromium extension with these same rules and if it looks good make a new release. I believe that this release can finally be the first stable Chromium release.

comment:8 Changed 4 years ago by Wisperbird

Https everywhere prevents FullPage screenshot.
But when you do a Visible Screenshot and disable "Https everywhere" in the resulting page,
then FullPage screenshot will work.

comment:9 Changed 4 years ago by micahlee

Over the summer Lisa Yao, our Google Summer of Code intern, helped write a bunch of code to do automatic ruleset tests to test for mixed content. Originally it was a mozilla-central mochitest, then moved into a standalone Firefox extension, and now finally it's been merged into the HTTPS Everywhere master branch.

I've updated the readme file with how to run the tests:

You can run ruleset tests by opening about:config and changing extensions.https_everywhere.show_ruleset_tests to true. Now when you open the HTTPS Everywhere context menu there will be a "Run HTTPS Everywhere Ruleset Tests" menu item.

When you run the tests, be prepared to let your computer run them for a really long time.

The tests take over your browser by opening a ton of tabs, waiting for them to load, and seeing if the Firefox MCB gets triggered. A lot more work can be done on them, and they can be used to detect a lot more than just mixed content. But that's all they do for now.

comment:10 Changed 3 years ago by jsha

  • Resolution set to fixed
  • Status changed from assigned to closed

It's been over a year, and most of the rulesets that break under MCB have been tagged. Additional ones will be fixed using the normal ruleset fix process.

Note: See TracTickets for help on using tickets.