Opened 7 years ago

Closed 7 years ago

#7132 closed defect (fixed)

Google calendar breaks in netvibes portal

Reported by: cypherpunks Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 3.0.0
Severity: Keywords: httpse-ruleset-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

After months of no problems, I woke up one morning to find this widget in my portal for Google Calendar using an https URL suddenly saying "connection untrusted" and not displaying the calendar. ("https://www.google.com".......etc)

Now, this makes little sense. Turning off https anywhere quickly worked and restored functionality. But the URL in the widget is still an https url. AND as I understand now, Google automatically selects https where that option is available.

I don't really understand why this is happening, why now, or why ever, especially when it worked before.

https 3.01 in Firefox 16.0.1

Child Tickets

TicketStatusOwnerSummaryComponent
#8621closedpdeProblem with NetvibesHTTPS Everywhere/EFF-HTTPS Everywhere

Change History (5)

comment:1 Changed 7 years ago by arma

Component: - Select a componentEFF-HTTPS Everywhere
Owner: set to pde

comment:2 Changed 7 years ago by pde

Two possibilities include a referrer that is missing somewhere when an HTTPS resource tries to fetch something via HTTP, or a piece of javascript code that string compares against a URL and breaks when an "s" is added to the URL.

Do you know which ruleset is causing this problem? Do you have an example URL that would demonstrate the problem? You could also investigate it more closely with a tool like Live HTTP Headers if you're motivated.

comment:3 Changed 7 years ago by mikeperry

Keywords: httpse-ruleset-bug added; Firefox google calendar netvibes removed

comment:4 Changed 7 years ago by mikkoharhanen

There's more to this bug than just a broken Google Calendar. I could not add any of the featured widgets (Google News, Wired News etc). In addition Netvibes is unusable with Chrome. To reproduce these it is enough to go to https://www.netvibes.com without HTTPS Everywhere.

I could not fix these issues. I would recommend marking this ruleset as mixedcontent and default_off until someone smarter finds a solution:
https://github.com/mikkoharhanen/https-everywhere/commit/b82391b56d27aa66f80aa2e73d2f3c67d95c66db


Link to the reported Google Calendar warning. It is about certificate mismatch. The certificate matches *.netvibes.com but not *.nvmodules.netvibes.com.

Log about adding a widget:

Without HTTPS Everywhere:
GET http://www.netvibes.com/modules/multipleFeeds/providers/?p=nymag&cat=fi [HTTP/1.1 200 OK 57ms]
POST http://www.netvibes.com/api/feeds/subscribe [HTTP/1.1 200 OK 911ms]
GET http://www.netvibes.com/modules/multipleFeeds/providers/nymag/img/nymag_logo.png [HTTP/1.1 200 OK 49ms]
GET http://avatars.netvibes.com/favicon/http://nymag.com [HTTP/1.1 200 OK 59ms]
GET http://www.netvibes.com/modules/multipleFeeds/providers/nymag/img/nymag_bg.png [HTTP/1.1 200 OK 67ms]
GET http://pixel.nymag.com/imgs/daily/intel/2012/03/02/02_nugent.o.jpg/a_146x97.jpg [HTTP/1.1 200 OK 812ms]
GET http://pixel.nymag.com/imgs/daily/intelligencer/2013/02/11/11-major-garrett-tweet.o.jpg/a_560x375.jpg [HTTP/1.1 200 OK 824ms]
POST http://www.netvibes.com/ajax/save/userData.php?module.edit [HTTP/1.1 200 OK 86ms]

With HTTPS Everywhere:
POST https://www.netvibes.com/api/my/widgets/90763146/create/multi [HTTP/1.1 200 OK 123ms]
GET https://www.netvibes.com/modules/multipleFeeds/providers/?p=nymag&cat=fi [HTTP/1.1 200 OK 51ms]
POST https://www.netvibes.com/ajax/save/userData.php?module.edit [HTTP/1.1 200 OK 88ms]

comment:5 Changed 7 years ago by schoen

Resolution: fixed
Status: newclosed

Per this bug, the ruleset has already been marked as default_off. Hopefully our forthcoming efforts to contact webmasters and get them more involved with HTTPS Everywhere will provide a better means of addressing things like this.

Note: See TracTickets for help on using tickets.