Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#8637 closed defect (fixed)

Uploading files does not work in SoundCloud

Reported by: cypherpunks Owned by: pde
Priority: High Milestone: HTTPS-E 3.2
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 3.1.4
Severity: Keywords: httpse-ruleset-bug, soundcloud
Cc: kosterinaleksey@…, parker@…, micahlee Actual Points:
Parent ID: #6980 Points:
Reviewer: Sponsor:

Child Tickets

Change History (7)

comment:1 Changed 7 years ago by pde

Cc: parker@… added
Priority: normalmajor

Parker, do you know who at Soundcloud we should ping to figure out a fix for this?

Information about the way we rewrite requests to soundcloud is here:

https://www.eff.org/https-everywhere/atlas/domains/soundcloud.com.html

comment:2 Changed 7 years ago by pde

Cc: micahlee added

OK it turns out that this isn't a problem with the Soundcloud ruleset (which is actually only in the 4.0 development releases, not 3.1.4 stable) but the AmazonAWS ruleset. The problem appears to be caused by the crossdomain.xml file on that domain, although I'm not exactly sure why. I've confirmed that we could work around the problem by adding

<exclusion pattern="^http://soundcloud-upload\.s3\.amazonaws\.com/" />

to the AmazonAWS ruleset, but it would be better if Soundcloud folks could figure out how to make things work if that domain is httpsified.

comment:3 Changed 7 years ago by pde

Parent ID: #6980

comment:4 Changed 7 years ago by ohookins

I believe the issue is due to the SWF being loaded over http, but the crossdomain.xml being loaded over https. We need the secure=false option to be present in the crossdomain policy to allow the Flash uploader to use the policy.

I'll verify the fix on Monday once we have some more support staff around to verify it does not cause unwanted issues and then update this ticket.

comment:5 Changed 7 years ago by ohookins

Unfortunately the above mentioned fix didn't solve the problem, and we are having trouble duplicating the problem reliably. Sometimes it works, and sometimes it doesn't (which may be a Flash bug).

For the moment I'd recommend putting in that exclusion until we can figure out a way to make Flash play nicely with HTTPS in this situation.

comment:6 Changed 7 years ago by pde

Resolution: fixed
Status: newclosed

The fix for this is in git and should be in a new release today.

comment:7 Changed 7 years ago by pde

Milestone: HTTPS-E 3.2
Note: See TracTickets for help on using tickets.