Opened 8 years ago

Closed 8 years ago

#7217 closed defect (wontfix)

Facebook App Confusion

Reported by: Blackfire667 Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 3.0.2
Severity: Keywords: facebook, app, https
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There's an older app on Facebook called "Nations". Its developers have long since mostly given up on it, and certainly won't be updating the code any time soon, so I thought I should try and outline the problem here.

Shortly after I installed HTTPS Everywhere, I started having trouble with the app. See, I can't access it using HTTPS; it either doesn't recognize me as a returning user and prompts me to start a new game or doesn't connect me with my account, so to speak, saying "[file] not found!" when I try to access my data.

Sometimes the confusion occurs on Facebook's end, as well. While logged in to Facebook, I tried to access the app and was shown the Facebook login screen instead. I had to set a rule to disable HTTPS Everywhere for Facebook Apps, then close my browser and try again for the app to finally recognize me as the returning user that I am, and thus link me up with my data. It's bad enough the thing needs thrid-party cookies to operate...

http://apps.facebook.com/nations/

Child Tickets

Change History (3)

comment:1 Changed 8 years ago by pde

Resolution: fixed
Status: newclosed

The reason you saw the Facebook login screen might be the securecookie attributes in the Facebook Apps ruleset. HTTPS Everywhere is refusing to let your Facebook cookies be sent over HTTP, and you needed to disable the ruleset and then logout or restart the browser to change that.

I'm inclined to mark this as wontfix. We want to keep people's Facebook accounts secure by default, and if there's a weird janky old app that cannot function without making your entire FB account vulnerable to cookie theft, you should need to do something active (disabling the Facebook Apps ruleset) to signal that you really want to remove the security protection.

Also be aware that in HTTPS Everywhere 4+, the Facebook and Facebook Apps rulesets will probably be merged, so users will probably have to disable Facebook protection entirely to run apps like this.

Having said all of this, if you can write a ruleset patch which fixes Nations without weakening Facebook security overall, we might consider applying it. The documentation for the ruleset formats is here; Live HTTP Headers is a good diagnostic tool to start with.

comment:2 Changed 8 years ago by pde

Resolution: fixed
Status: closedreopened

comment:3 Changed 8 years ago by pde

Resolution: wontfix
Status: reopenedclosed
Note: See TracTickets for help on using tickets.