[tor-bugs] #7569 [EFF-HTTPS Everywhere]: HTTPS-E "Vimeo" Ruleset breaks video player when embedded in foreign sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Nov 25 19:16:52 UTC 2012 

#7569: HTTPS-E "Vimeo" Ruleset breaks video player when embedded in foreign sites
-------------------------------------------------------+--------------------
 Reporter:  xaho                                       |          Owner:  pde            
     Type:  defect                                     |         Status:  new            
 Priority:  normal                                     |      Milestone:                 
Component:  EFF-HTTPS Everywhere                       |        Version:  HTTPS-E 4.0dev1
 Keywords:  vimeo ruleset portal embedded video flash  |         Parent:                 
   Points:                                             |   Actualpoints:                 
-------------------------------------------------------+--------------------
 Should the "Vimeo" ruleset be disabled by default ?

 All together, quite a few bits transit over clear http, not only the
 stream itself, but also main portal (302), jpg pics etc. And the current
 ruleset's exclusion breaks embedded video in foreign sites.

 Vimeo web server
 * does 302 redirs (!)
   from https://vimeo.com/52967607
     or https://secure.vimeo.com/52967607
     to http://vimeo.com/52967607
 * uses crossdomain.xml from s3.amazonaws.com, which sets secure="false"

 Server "av.vimeo.com" accepts only plain http.
 It is a CNAME to Akamai, providing:
 * one of the crossdomain.xml policies
 * the mp4 stream itself (!) eg.
 http://av.vimeo.com/53582/034/127433681.mp4?aktimeoffset=0&aksessionid=934ec68da0bfe408ca1b45859b633d95&token=1353724714_ed490f0ff8abb6789d39e55363907700
 (and no secured, alternative address, is known to date)

 Server "a.videocdn.com" is excluded (for flash only)
   <exclusion pattern="^http://a\.vimeocdn\.com/p/flash/moogaloop/" />
 * Without the exclusion, videos do *not* play from vimeo portal,
     http://vimeo.com/52967607
     https://mail1.eff.org/pipermail/https-
 everywhere/2012-October/001583.html
   however, they *do* play fine when embedded from foreign sites, eg.
     http://sid.rstack.org/blog/index.php/567-chasse-au-lapin
 * With the exclusion, we get the exact opposite
   (video play on vimeo portal, but not from foreign sites)

 Current version & head

 https://gitweb.torproject.org/https-
 everywhere.git/blob/4f92f184d5eb479904f5c625fa34cb93020c8856:/src/chrome/content/rules/Vimeo.xml

 https://gitweb.torproject.org/https-
 everywhere.git/blob/HEAD:/src/chrome/content/rules/Vimeo.xml

 See also #7554

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7569>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list