HTTPS-E "Vimeo" Ruleset breaks video player when embedded in foreign sites
Should the "Vimeo" ruleset be disabled by default ?
All together, quite a few bits transit over clear http, not only the stream itself, but also main portal (302), jpg pics etc. And the current ruleset's exclusion breaks embedded video in foreign sites.
Vimeo web server
- does 302 redirs (!) from https://vimeo.com/52967607 or https://secure.vimeo.com/52967607 to http://vimeo.com/52967607
- uses crossdomain.xml from s3.amazonaws.com, which sets secure="false"
Server "av.vimeo.com" accepts only plain http. It is a CNAME to Akamai, providing:
- one of the crossdomain.xml policies
- the mp4 stream itself (!) eg. http://av.vimeo.com/53582/034/127433681.mp4?aktimeoffset=0&aksessionid=934ec68da0bfe408ca1b45859b633d95&token=1353724714_ed490f0ff8abb6789d39e55363907700 (and no secured, alternative address, is known to date)
Server "a.videocdn.com" is excluded (for flash only)
- Without the exclusion, videos do not play from vimeo portal, http://vimeo.com/52967607 https://mail1.eff.org/pipermail/https-everywhere/2012-October/001583.html however, they do play fine when embedded from foreign sites, eg. http://sid.rstack.org/blog/index.php/567-chasse-au-lapin
- With the exclusion, we get the exact opposite (video play on vimeo portal, but not from foreign sites)
Current version & head
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/Vimeo.xml
See also #7554 (moved)
Trac:
Username: xaho