[tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 24 00:07:22 UTC 2013
#8774: Disable mixed content rulesets on FF 23+
----------------------------------+-----------------------------------------
Reporter: pde | Owner: pde
Type: defect | Status: new
Priority: critical | Milestone: HTTPS-E 4.0dev8
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent: #6975
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Changes (by pde):
* milestone: HTTPS-E 4.0dev7 => HTTPS-E 4.0dev8
Comment:
tanvi and I have been chatting about this in #security on irc.mozilla.org.
For everyone who isn't there:
<tanvi> pde: ping
<tanvi> pde: thanks for cc'ing me on your mixed content bug. you
mentioned that you might try disabling mixed content blocker. i don't
think your addon can change the pref without causing a warning/alert when
submitting to AMO for review
<tanvi> that is a privileged pref that addons can't change
<pde> tanvi: what we'd want would be a way to disable it in specific
contexts
<pde> we wouldn't want blanket disablement, since I think that would
decrease user security overall
<pde> and I guess I'm not committed to trying to do things that way, it's
just one of the options
<tanvi> hmm; not sure if that coudl be accomplished
<tanvi> i suppose you coudl include javascript in the addon that looks for
the shield after https everywhere rewrites a url and selects "Disable
Protection on this page"
<pde> exactly the sort of hackery I'm afraid of
<tanvi> we have a mochitest that you could use to find broken sites
<pde> alternatively we could write the same javascript (or use mochitest)
and try to disable our rewrites for those sites
<tanvi> not sure if it will work with the addon; but if you take alexa top
X sites and run them through your rewrite rules
<tanvi> you can then take the https urls that you get and put them through
the mochitest
<pde> we can also do it with opt-in user pingbacks
<tanvi> the results of the mochitest will tell you whether or not Mixed
Active Content was detected on the page
<pde> oh I see
<tanvi> once you know which of yoru rewrite rules result in pages with
Mixed Active Content, you can disable those rewrite rules
<pde> the hard part of that is that sometimes Mixed Active Content will
happen in really obscure parts of sites, only for logged in users, etc
<tanvi> pde - yeah, that is true
<pde> so I think our best chance will be to opt-in instrument our users in
the wild and see where it's happening
<tanvi> we tested the top 1000 alexa sites for mixed content, and found 77
with mixed active content. but we only tested the homepage and we didnt
log in
<pde> we have already found quite a few via manual reporting from our
chrome userbase
<pde> but I think we currently just offer our chrome users a much worse
experience than our firefox users
<tanvi> even before Firefox 23, you can listen for certain
nsWebProgressListener flags. specifically
STATE_LOADED_MIXED_ACTIVE_CONTENT http://mxr.mozilla.org/mozilla-
central/source/uriloader/base/nsIWebProgressListener.idl#185
<tanvi> that will tell you if the mixed content blocker will be invoked
for a website.
<tanvi> prior to FF23
<tanvi> in FF23 (when it is blocked by default) you woudl look for
STATE_BLOCKED_MIXED_ACTIVE_CONTENT
<pde> oh that's super helpful
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8774#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list