Opened 6 years ago

Last modified 23 months ago

#9536 new defect

Doesn't respect CSP policies

Reported by: Erom2 Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Assume a site pulls scripts from a CDN, like cdnjs.cloudflare.com using the http protocol, and has a script-src of "http://cdnjs.cloudflare.com" set in the Content-Security-Policy header.

If a user with HTTPS Everywhere installed were to browse on the site, it would try to fetch the scripts using https, which is forbidden by the CSP header, thus breaking the site.

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by zyan

This is enough of an edge case that the "right" solution is probably to inform the site operator and ask them to add https://cdnjs.cloudflare.com to the CSP header. Alternative, we could apply the HTTPS Everywhere rules to CSP headers in an http-on-modify-response header but that would be more of a project.

We also have this issue with CORS headers. Either Site A or Site B is rewritten by HTTPS Everywhere, so the CORS header in Site B no longer allows XHRs from Site A, caushing Site A to break.

comment:2 Changed 23 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.