Opened 7 years ago

Closed 7 years ago

#7569 closed defect (fixed)

HTTPS-E "Vimeo" Ruleset breaks video player when embedded in foreign sites

Reported by: xaho Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 4.0dev3
Severity: Keywords: httpse-ruleset-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Should the "Vimeo" ruleset be disabled by default ?

All together, quite a few bits transit over clear http, not only the stream itself, but also main portal (302), jpg pics etc. And the current ruleset's exclusion breaks embedded video in foreign sites.

Vimeo web server

or https://secure.vimeo.com/52967607
to http://vimeo.com/52967607

  • uses crossdomain.xml from s3.amazonaws.com, which sets secure="false"

Server "av.vimeo.com" accepts only plain http.
It is a CNAME to Akamai, providing:

(and no secured, alternative address, is known to date)

Server "a.videocdn.com" is excluded (for flash only)

<exclusion pattern="http://a\.vimeocdn\.com/p/flash/moogaloop/" />

  • Without the exclusion, videos do *not* play from vimeo portal,

http://vimeo.com/52967607
https://mail1.eff.org/pipermail/https-everywhere/2012-October/001583.html

however, they *do* play fine when embedded from foreign sites, eg.

http://sid.rstack.org/blog/index.php/567-chasse-au-lapin

  • With the exclusion, we get the exact opposite (video play on vimeo portal, but not from foreign sites)

Current version & head

https://gitweb.torproject.org/https-everywhere.git/blob/4f92f184d5eb479904f5c625fa34cb93020c8856:/src/chrome/content/rules/Vimeo.xml

https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/Vimeo.xml

See also #7554

Child Tickets

Change History (4)

comment:1 Changed 7 years ago by xaho

Using

firefox-16.0.2-1.fc16.x86_64
HTTPS-E 3.0.4 (or 4.0dev2, same results)

NB. ticket set to trac Version "HTTPS-E 4.0dev1" since I can't find any "HTTPS-E 3.0.4" or "HTTPS-E 4.0dev2" in the list.

comment:2 Changed 7 years ago by xaho

Version: HTTPS-E 4.0dev1HTTPS-E 4.0dev3

Applies to HTTPS-E 3.1 and 4.0dev3 (firefox-16.0.2-1.fc16.x86_64)

comment:3 Changed 7 years ago by mikeperry

Keywords: httpse-ruleset-bug added; vimeo ruleset portal embedded video flash removed

comment:4 Changed 7 years ago by schoen

Resolution: fixed
Status: newclosed

In light of this bug and the analysis of the limited usefulness of the current ruleset for security and privacy, I'm setting this rule off by default. It's too bad, but xaho's argument shows that people are not getting that much value from it anyway.

Note: See TracTickets for help on using tickets.