[tor-bugs] #4176 [EFF-HTTPS Everywhere]: Check that there are no holes left by the removal of nsIContentPolicy
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Oct 7 05:45:58 UTC 2011
#4176: Check that there are no holes left by the removal of nsIContentPolicy
----------------------------------+-----------------------------------------
Reporter: pde | Owner: pde
Type: task | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by vic):
Not sure where you want this discussion to go (copied from #3882 )
Replying to [comment:10 pde]:
> Replying to [comment:7 vic]:
> > Why do you need to disable the nsIContentPolicy::shouldLoad / forceURI
path?
> >
>
> Because the Firefox patch isn't in Firefox 4-7, and we'd prefer not to
crash those browsers?
The removal was in the main branch of HTTPS Everywhere.
Right now Firefox 4-6 has no security updates.
My suggestion is to keep the nsIContentPolicy::shouldLoad / forceURI path
in HTTPS Everywhere v2.0.xDev and release version 2 on the same day that
Firefox 8 ships.
>
> >
> > Please restore the nsIContentPolicy::shouldLoad / forceURI path in
stable version.
>
> Despite Giorgio's concerns, we haven't yet found any cases in which
disabling nsIContentyPolicy caused an insecure HTTP load. If we find any,
we'll try to turn it back on just for those cases.
Really would appreciate if you left it on for Everything, just in case.
I mean come to think of it, the patch released @
https://bugzilla.mozilla.org/show_bug.cgi?id=677643 for Firefox 8+ is now
useless? The patch was because we were using the
nsIContentPolicy::shouldLoad / forceURI path right?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4176#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list