[tbb-bugs] #26548 [Applications/Tor Browser]: HTTPS Everywhere's injection of upgrade-insecure-requests header appears to be broken on 8.0a9
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 28 11:08:54 UTC 2018
#26548: HTTPS Everywhere's injection of upgrade-insecure-requests header appears to
be broken on 8.0a9
------------------------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
I compared the behavior between 8.0a8 and 8.0a9:
* Open 8.0a8, and check the "Block all unencrypted requests" in the
HTTPS-E popup.
* Go to a mixedcontent website (go to the github repository efforg/https-
everywhere then search for mixedcontent and find recent edited one, here's
an example of such a site (not privatebin.net but the one written there):
https://privatebin.net/?b5c69abb9501c2d5#fbNBF8M+XNeluv6+O00aGLjAWkrcUAnBDsgZLkP0RQY=
)
* So open that site up while your browser console is opened, you can see
that HTTPS-E injects an upgrade-insecure-requests header and everything is
going through HTTPS now including scripts and css etc.
----------------
* Open 8.0a9, and check the "Block all unencrypted requests" in the
HTTPS-E popup.
* Go to the previously mentioned site.
* There doesn't appear to be any injection of upgrade-insecure-requests
header, css broken etc as a result.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26548>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list