[tor-bugs] #3673 [EFF-HTTPS Everywhere]: Jobvite inclusions broken on dropbox.com

Mon Aug 1 21:48:37 UTC 2011

#3673: Jobvite inclusions broken on dropbox.com
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  pde     
     Type:  defect                |         Status:  accepted
 Priority:  normal                |      Milestone:          
Component:  EFF-HTTPS Everywhere  |        Version:          
 Keywords:                        |         Parent:          
   Points:                        |   Actualpoints:          
----------------------------------+-----------------------------------------

Comment(by pde):

 Here are what I think are the relevant Live HTTP Headers, from after
 HTTPS-Everywhere has detected the loop and given up rewriting:
 {{{
 ----------------------------------------------------------
 http://www.dropbox.com/position?jvi=oQ1lVfwR,Job

 GET /position?jvi=oQ1lVfwR,Job HTTP/1.1
 Host: www.dropbox.com
 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101
 Firefox/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Connection: keep-alive
 Referer:
 http://hire.jobvite.com/CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&v=1
 Cookie: gvc=MzA4NjE5Mjg4MjU0MDE2MjQ2ODkyMDQzNDgzOTAyNDE2MzU5NjY2;
 __utma=145599457.311659016731854700.1312234669.1312234669.1312234669.1;
 __utmb=145599457.5.10.1312234669; __utmc=145599457;
 __utmz=145599457.1312234669.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
 Pragma: no-cache
 Cache-Control: no-cache

 HTTP/1.1 200 OK
 Server: nginx
 Date: Mon, 01 Aug 2011 21:40:08 GMT
 Content-Type: text/html; charset=utf-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache
 Content-Encoding: gzip
 ----------------------------------------------------------
 http://hire.jobvite.com/CompanyJobs/Jobs.aspx?c=qD19Vfws&jvresize=http://www.dropbox.com/frameresize.htm&j=oQ1lVfwR,Job&k=Job

 GET
 /CompanyJobs/Jobs.aspx?c=qD19Vfws&jvresize=http://www.dropbox.com/frameresize.htm&j=oQ1lVfwR,Job&k=Job
 HTTP/1.1
 Host: hire.jobvite.com
 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101
 Firefox/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Connection: keep-alive
 Referer: http://www.dropbox.com/position?jvi=oQ1lVfwR,Job
 Cookie: ASP.NET_SessionId=25anfp55pjrmhk55yhioiurf;
 __utma=197432630.1540392077.1312234672.1312234672.1312234672.1;
 __utmb=197432630.15.10.1312234672; __utmc=197432630;
 __utmz=197432630.1312234672.1.1.utmcsr=dropbox.com|utmccn=(referral)|utmcmd=referral|utmcct=/jobs;
 __utmv=197432630.|1=UserId=07f72031-ce41-4b45-9acd-
 3c0ee4a6f203=1,2=CompanyId=qD19Vfws=1; guestidc=07f72031-ce41-4b45-9acd-
 3c0ee4a6f203

 HTTP/1.1 302 Object Moved
 Cache-Control: no-cache
 Pragma: no-cache
 Content-Type: text/html; charset=utf-8
 Expires: -1
 Location:
 Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1
 Server: Microsoft-IIS/7.0
 X-AspNet-Version: 2.0.50727
 X-Powered-By: ASP.NET
 Date: Mon, 01 Aug 2011 21:40:09 GMT
 Content-Length: 155
 ----------------------------------------------------------
 http://hire.jobvite.com/CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1

 GET
 /CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1
 HTTP/1.1
 Host: hire.jobvite.com
 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101
 Firefox/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Connection: keep-alive
 Referer: http://www.dropbox.com/position?jvi=oQ1lVfwR,Job
 Cookie: ASP.NET_SessionId=25anfp55pjrmhk55yhioiurf;
 __utma=197432630.1540392077.1312234672.1312234672.1312234672.1;
 __utmb=197432630.15.10.1312234672; __utmc=197432630;
 __utmz=197432630.1312234672.1.1.utmcsr=dropbox.com|utmccn=(referral)|utmcmd=referral|utmcct=/jobs;
 __utmv=197432630.|1=UserId=07f72031-ce41-4b45-9acd-
 3c0ee4a6f203=1,2=CompanyId=qD19Vfws=1; guestidc=07f72031-ce41-4b45-9acd-
 3c0ee4a6f203

 HTTP/1.1 200 OK
 Cache-Control: no-cache
 Pragma: no-cache
 Content-Type: text/html; charset=utf-8
 Expires: -1
 Server: Microsoft-IIS/7.0
 X-AspNet-Version: 2.0.50727
 X-Powered-By: ASP.NET
 Date: Mon, 01 Aug 2011 21:40:09 GMT
 Content-Length: 22590
 ----------------------------------------------------------
 https://www.dropbox.com/frameresize.htm?height=1263

 GET /frameresize.htm?height=1263 HTTP/1.1
 Host: www.dropbox.com
 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20100101
 Firefox/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Connection: keep-alive
 Referer:
 http://hire.jobvite.com/CompanyJobs/Careers.aspx?k=JobListing&c=qD19Vfws&jvresize=http%3a%2f%2fwww.dropbox.com%2fframeresize.htm&j=oQ1lVfwR%2cJob&v=1
 Cookie: gvc=MzA4NjE5Mjg4MjU0MDE2MjQ2ODkyMDQzNDgzOTAyNDE2MzU5NjY2;
 __utma=145599457.311659016731854700.1312234669.1312234669.1312234669.1;
 __utmb=145599457.6.10.1312234669; __utmc=145599457;
 __utmz=145599457.1312234669.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

 HTTP/1.1 200 OK
 Server: nginx
 Date: Mon, 01 Aug 2011 21:40:11 GMT
 Content-Type: text/html; charset=utf-8
 Transfer-Encoding: chunked
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache
 Content-Encoding: gzip
 ----------------------------------------------------------
 }}}

 Joe, could the problem have anything to do with that last frameresize
 request?  Might that behave differently when we send it over https for
 some reason?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3673#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online