[tor-bugs] #9536 [EFF-HTTPS Everywhere]: Doesn't respect CSP policies

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 19 16:55:17 UTC 2013


#9536: Doesn't respect CSP policies
----------------------------------+-----------------------------------------
 Reporter:  Erom2                 |          Owner:  pde
     Type:  defect                |         Status:  new
 Priority:  normal                |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------
 Assume a site pulls scripts from a CDN, like cdnjs.cloudflare.com using
 the http protocol, and has a script-src of "http://cdnjs.cloudflare.com"
 set in the Content-Security-Policy header.

 If a user with HTTPS Everywhere installed were to browse on the site, it
 would try to fetch the scripts using https, which is forbidden by the CSP
 header, thus breaking the site.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9536>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list