[tor-bugs] #9196 [EFF-HTTPS Everywhere]: Postpone Firefox mixed content blocking from FF 23 -> 24 (with user notice & control)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 16 00:37:37 UTC 2013

#9196: Postpone Firefox mixed content blocking from FF 23 -> 24 (with user notice
& control)
 Reporter:  pde                   |          Owner:  lisacyao   
     Type:  defect                |         Status:  new        
 Priority:  blocker               |      Milestone:  HTTPS-E 3.3
Component:  EFF-HTTPS Everywhere  |        Version:             
 Keywords:                        |         Parent:             
   Points:                        |   Actualpoints:             

Comment(by mikeperry):

 The reality of the situation is that their implementation can't protect
 against large categories of script and content leaks either, in particular
 sites where the https script sources redirect to http (such scripts cannot
 be blocked by the nsIContentPolicy-based Mixed Content Blocker).

 I think we should aim for the stopgap solution that does the least damage
 to sites without completely disabling the huge swaths of our ruleset
 database (especially rules that only cause problems with the broken
 nsIContentPolicy implementation), because either of those will also cause
 users to lose protection, via less ruleset coverage, or via uninstalling

 Given that our only choices seem to be "disable a ton more rules than we
 should", "seriously degrade the user experience of HTTPS-Everywhere
 users", and "disable mixed content until it can be done right", I think
 the least invasive choice is the third one.

 As for the uninstall issue, it is possible to write an uninstall observer
 to reset the pref upon disable/uninstall using the addonListener service:

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9196#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list