Opened 7 years ago

Last modified 22 months ago

#7575 new defect

WebAssign site produces litany of "Security Warning" alerts

Reported by: cypherpunks Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: #3777 Points:
Reviewer: Sponsor:

Description

VERSION: HTTPS Everywhere 3.0.4
BROWSER: Firefox 17.0 on Windows

While using WebAssign as a logged in user and with HTTPS Everywhere protection enabled, one encounters a "Security Warning" for every click due to what the browser thinks is the submission of an unprotected form from an https-protected webpage. In reality (as verified using firefox's web console), HTTPS Everywhere is indeed converting the http POST link to https, but at a lower level than whatever causes the warning dialog.

I suspect the reason HTTPS Everywhere can't convert the link ahead of time is due to its being generated by javascript such as this:

javascript:onclick=document.forms[0].clicked.value='31,17';document.forms[0].action.value='roster/view';%20document.forms[0].showAll.value='0';document.forms[0].submit(this);

To reproduce:

  1. Go to the Webassign demo site
    1. Note that this subdomain is not currently covered by the HTTPS Everywhere plugin, but the plugin could easily be extended for both testing and production purposes.
  2. Change the http to https (or have the HTTPS Everywhere do it for you by including demo.webassign.net)
  3. Click on something like "Roster"
  4. See the submission error

Could someone please take a look at this?

Thank you in advance

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by cypherpunks

To add a little, the warning is happening due to a giant form on webassign.net's site that uses an absolute http URL to POST to that then gets converted to https by HTTPS Everywhere. This conversion must take place after the Firefox logic that detects posting to a non-https URL from an https one.

Is there a way for HTTPS Everywhere to rewrite the URL before the Firefox posting logic sees it in order to rid ourselves of this error?

comment:2 Changed 7 years ago by pde

Parent ID: #3777

comment:3 Changed 22 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.