[tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 23 21:14:40 UTC 2013 

#8774: Disable mixed content rulesets on FF 23+
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  micahlee       
     Type:  defect                |         Status:  assigned       
 Priority:  critical              |      Milestone:  HTTPS-E 4.0dev8
Component:  EFF-HTTPS Everywhere  |        Version:                 
 Keywords:                        |         Parent:  #6975          
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------

Comment(by Tanvi):

 HTTPS Everywhere aside, the Mixed Content Blocker does not properly handle
 redirects.  This is a known issue and it is important for us to fix this.
 We first talked to Peter about the compatibility issues in April.  And we
 also communicated this as soon as the feature was turned on in nightly
 (https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-
 in-firefox-23/ - see Remaining Edge Cases and Appendix sections).
 However, as described, we didn't want the edge cases to delay the release
 of the MCB.  We believe that 95% protection is better than no protection
 for Firefox users.

 The Mixed Content Blocker is an important security feature with many
 moving parts.  We are doing the best we can with the time we have, keeping
 in mind our goal to protect users sooner than later.  Fixing the redirect
 issue and bug 878890 is on my radar, but there are more pressing issues
 that we have to attend to first, or else we risk the feature being
 disabled for all Firefox users.  When prioritizing tasks, we have to
 consider security for the majority of Firefox users and hence we have to
 complete a few other tasks before we get to bug 878890.  If the EFF can
 help fix bug 878890, we are happy to have the extra help.  Otherwise, we
 will get to it but it will take some time.

 HTTPS Everywhere had the same issues with Chrome.  You had to identify and
 disable rulesets with Mixed Content.  For Firefox, we are in a similar
 situation except that this is a temporary solution (rather than
 permanent).  I've been working closely with Lisa to help her identify
 which rulesets cause mixed content.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8774#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list