Opened 7 years ago

Closed 7 years ago

#8664 closed defect (duplicate)

Firefox 23 blocks loading of HTTPS/HTTP mixed content, breaking nytimes.com

Reported by: cypherpunks Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version: HTTPS-E 3.1.4
Severity: Keywords:
Cc: torproject@…, pde, micahlee Actual Points:
Parent ID: #8774 Points:
Reviewer: Sponsor:

Description

HTTPS Everywhere should disable rules for "mixed content" sites (such as "NYTimes (mixed content)" (or at least for browsers that prevent loading of mixed content like Firefox 23+).

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by mikeperry

I assume Mozilla will provide us with a pref to disable this behavior? We probably want to re-enable these rules if the user changes that pref.

We probably also want an easy-access UI option to turn all of these rules back on, too. In fact, we may want to provide three choices: Allow mixed content; Block non-HTTP elements; Disable mixed-content rules. With better wording than that, of course.

I wonder if there will also be a way for us to tell if the mixed content error is on a site we promoted to HTTPS. If so, we may want to have a way to override this mixed-content pref decision on a per-load basis, while not globally enabling mixed-content for all sites.

comment:2 Changed 7 years ago by cypherpunks

See Firefox bug 834836 for more info: https://bugzil.la/834836

Firefox 18 added a new about:config pref "security.mixed_content.block_active_content", defaulting to false. Firefox 23 toggled the default value to true. HTTPS Everywhere could query "security.mixed_content.block_active_content" to see if mixed content will cause problems with HTTPS.

Firefox allows users to allow mixed content on a per-site basis using Firefox's "doorhanger" permissions UI. I don't know if there is a way for an add-on to programatically query an individual site's mixed content permissions.

comment:3 Changed 7 years ago by mikeperry

Cc: pde added

Actually, I think the doorhang UI is probably exactly what we want. We would probably default to leaving it disabled and let the user click the doorhang UI if they want mixed-content to load.

Might get annoying with TBB's New Identity though (which clears site permissions). We probably would have to look into providing an option to protect site permissions for New Identity for TBB.

comment:4 Changed 7 years ago by pde

We've already made some attempts to flag all the rulesets that create mixed content situations for the Chrome port, where the mixed content is blocked by default and Google refused to give us a way to override that or even give the user a better UI for doing so.

(In Google's defense there are some rare cases where forcing HTTPS and allowing mixed content is worse than not forcing HTTPS at all; they would apply to the very rare sites that actually have a secure HTTPS deployment for part of their site and HTTP for the rest of the site).

Despite that I think on balance we're probably better allowing mixed content in pages that we forced to be HTTPS in the first place. But the alternative is to expand and improve the list of "mixedcontent" rules, and disable them all by default in Firefox.

comment:5 Changed 7 years ago by pde

Cc: micahlee added

comment:6 Changed 7 years ago by pde

Parent ID: #8774
Resolution: duplicate
Status: newclosed

This is now bug #8774.

Note: See TracTickets for help on using tickets.