Opened 5 years ago

Last modified 5 years ago

#7454 accepted defect

Active rules list doesn't indicate effects of securecookie if no URL rewrite took place

Reported by: schoen Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We just had a bug reported about a securecookie rule that applied to all of MIT (including pages that don't support HTTPS at all!) and was breaking logins.

However, the ruleset in question didn't appear in the active rules menu, because no rewrite rule was triggered on the page in question -- only a securecookie. This made the problem take slightly longer to debug and made it harder for affected users to work around. The existing logic for deciding which rules are "active" on the current pages seems to be triggered solely by rewrite rules.

Since securecookie rules affect page rendering and can even break it, rulesets containing them should also show up in the active rules menu when they were applied to a resource on the current page.

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by pde

Status: newaccepted

The code that implements the <securecookie> element does try to display this fact in the context menu. The problem is that it only happens when the cookie is first secured. There may be no later indication that a cookie in the page was secured by HTTPS Everywhere if HTTPS Everywhere has nothing else to change in that page, and there may be no indication that a cookie is missing from an HTTP page because a past securecookie intervention. I think these are probably fixable, though it will be tricky work.

It is also the case that disabling a ruleset won't go and remove the securecookie flag from all of the cookies it was set on, since that operation itself could cause potentially cause insecurity. Although perhaps it's the lesser of two evils...

comment:2 Changed 5 years ago by pde

(by way of extra documentation, all the calls to methods of the applicable_list object cause things to be displayed in the context menu)

Note: See TracTickets for help on using tickets.