[tor-bugs] #5196 [HTTPS Everywhere: Chrome]: Translate breakage in Chrome
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Feb 24 23:54:12 UTC 2012
#5196: Translate breakage in Chrome
--------------------------------------+-------------------------------------
Reporter: pde | Owner: aaronsw
Type: defect | Status: new
Priority: blocker | Milestone:
Component: HTTPS Everywhere: Chrome | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by pde):
Matt Perry sent this by email:
> OK, upon further investigation, it is not related to the fact that this
is a POST request. It's actually caused by a conflation of 2
implementation details in Chrome:
1. The translate request is done using a XMLHttpRequest from the context
of the main page. In this case, the translated page is requesting
http://translate.googleapis.com/...
1. The webRequest API rewrites URLs by simulating a redirect. When HTTPS
Everywhere tells us to redirect !http://foo to !https://foo, we actually
simulate a redirect internally.
> Because of (1), the redirection in (2) is considered cross-origin (the
security origin is that of the main page, and the redirected URL's origin
is translate.googleapis.com). Chrome (specifically, !WebKit) blocks this
cross-origin redirect.
>
> I could be misunderstanding web security policy, but it seems like a bug
to me. I don't see why redirecting an XMLHttpRequest from
!http://translate.googleapis.com to !https://translate.googleapis.com
should care about the security origin of the containing page.
>
> In any case, it's a Chrome issue. I think your only workaround is to
exempt translate.googleapis.com from the rules.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5196#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list