Opened 7 years ago

Last modified 19 months ago

#6980 new defect

HTTPS Everywhere rules often interfere with Adobe cross-domain policy mechanism

Reported by: schoen Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Adobe Flash Player defines a cross-domain policy file mechanism</a> for preventing cross-domain attacks involving Flash. The file is written in XML and placed in a file called crossdomain.xml at the root of a domain</a>. Current versions of Flash Player will block some information flows unless they are explicitly permitted by the cross-domain policy file.

We've had several bugs (usually about video embedding) related to rewriting into As I understand it, these bugs resulted from either (1) the HTTPS version not existing at all, or (2) the HTTPS version having different contents from the HTTP version, resulting in the end-user's Flash plugin not learning that a site had intended to permit an embedding-related action (and incorrectly blocking the action).

I don't think Flash Player treats cross-domain policy files loaded over HTTPS differently from those loaded over HTTP, and I don't think it forbids the files to be loaded over HTTPS, although both of these possibilities are worth checking into.

We would like to have a blanket solution for this category of errors (which might still be responsible for a number of our ongoing video embedding bugs), or at least a way to identify them quickly with automated testing.

Child Tickets

#7127closedpdeYoutube live streaming brokenHTTPS Everywhere/EFF-HTTPS Everywhere ruleset breaks videos on multiple sitesHTTPS Everywhere/EFF-HTTPS Everywhere
#8637closedpdeUploading files does not work in SoundCloudHTTPS Everywhere/EFF-HTTPS Everywhere

Change History (3)

comment:1 Changed 7 years ago by schoen

Priority: trivialnormal

comment:2 Changed 7 years ago by pde

#7127 seems to be an instance of this which doesn't fit into either Seth's proposed causal categories. seems to be the same for me when fetched over HTTP or HTTPS, and yet live streaming is broken when the request is rewritten.

comment:3 Changed 19 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.