Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#7774 closed defect (fixed)

HTTPS Everywhere rule for etsy.com appears broken.

Reported by: bgshacklett Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords: httpse-ruleset-bug
Cc: runa, mikeperry, MB Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The HTTPS rule for etsy.com appears to break a lot of the JavaScript functions on the site. Clicking certain buttons and links results in errors in the JS console and little else.

Child Tickets

Change History (10)

comment:1 Changed 7 years ago by barn

Component: - Select a componentEFF-HTTPS Everywhere
Owner: set to pde
Priority: minornormal

Yeah, I had a bash at updating it, based on how things now are, but I couldn't get past the javascript issue for the login box.

My code is at https://github.com/barn/https-everywhere/commit/4d33fd30c1c40ecb663bbf40239eb95928f8650b if someone else would like to punt on it?

The options for users are to disable HTTPS-Everywhere for Etsy and then enable HTTPS on the site once logged in. Not log in. Or... just not use it.

comment:2 Changed 7 years ago by runa

Cc: runa mikeperry added

comment:3 Changed 7 years ago by runa

I know the login functionality breaks (that is, clicking the log in button does nothing). Anything else?

comment:4 Changed 7 years ago by barn

Well, that's a big chunk of the use case of the site. That means you can't buy or sell on there, only look.

The login overlay is presented via javascript, that is being loaded, but Im wondering if there's some permissions issue which causes it not to run that code once it's tricked in to being a different protocol. My Javascript-fu isn't good enough (read: nonexistent) to work it out.

comment:5 Changed 7 years ago by runa

The login functionality breaks when you're coming from http://etsy.com, but not when you're coming from https://etsy.com

comment:6 Changed 7 years ago by mikeperry

Keywords: httpse-ruleset-bug added

comment:7 Changed 7 years ago by barn

Yeah, the site works fine via HTTPS if you go direct, but that, I do not believe, is in anyway impacted by HTTPS-Everywhere.

I'd like to either fix the functionality of HTTPS-Everywhere for http://etsy.com/ or remove the rules for etsy, so that the site works for all users, as currently it does not.

comment:8 Changed 7 years ago by pde

Cc: MB added

Barn, I'm merging your changes into master, and taking the additional step of removing the securecookie directive, because that looks quite inappropriate for this ruleset (any site that sometimes redirects back to HTTP is liable to break if it can't see the cookies that have been flagged secure).

In the 3.0 branch, I'm just going to disable this ruleset altogether until we like what we have in 4.0development releases.

comment:9 Changed 7 years ago by pde

Resolution: fixed
Status: newclosed

This possible fix in devel (and disablement in 3.0) should be released shortly.

comment:10 Changed 7 years ago by barn

Brilliant. Thank you for responding so rapidly on this!

Note: See TracTickets for help on using tickets.