[tor-bugs] #15763 [EFF-HTTPS Everywhere]: Need whitelist entry for www.fark.com and total.fark.com

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 21 19:24:35 UTC 2015 

#15763: Need whitelist entry for www.fark.com and total.fark.com
-----------------------------+---------------------------------------------
 Reporter:  bit0mike         |          Owner:
     Type:  defect           |         Status:  new
 Priority:  normal           |      Milestone:  HTTPS-E next Chrome release
Component:  EFF-HTTPS        |        Version:
  Everywhere                 |  Actual Points:
 Keywords:                   |         Points:
Parent ID:                   |
-----------------------------+---------------------------------------------
 Short version: HTTPS Anywhere now breaks many form submissions on
 www.fark.com and total.fark.com, and we need a whitelist rule.

 Longer version: our desktop site's ads cannot load over HTTPS, so we have
 to unfortunately run that site HTTP to avoid mixed-content warnings.
 Google's ad team, and third party ad networks, apparently don't have the
 same urgency as Google's Chrome team when it comes to encouraging HTTPS
 use...

 We do now have a way to pay a small monthly amount to turn ads off yet
 still support the site (!BareFark), and anyone that buys that gets an SSL
 version of the site as a perk, and is forcibly redirected to it if they
 hit it via plaintext.  To make ads work though, we have to push everyone
 else back to the plaintext version.

 Unfortunately, this combined with HTTPS Anywhere breaks our Post-Redirect-
 Get form submission logic.  The POST always goes to HTTPS, caches the form
 variables, then redirects to a GET which then retrieves those variables
 (and clears the cached version to avoid double-submits).  HTTPS Anywhere
 then tries to redirect that GET back to an HTTPS version, which causes the
 form variables to be lost and the overall POST to fail.  Sad trombone.

 Fortunately our mobile ad networks don't have the limitation of being
 HTTP-only, so, we do NOT need a whitelist rule for m.fark.com,
 m.total.fark.com, or our images host img.fark.net.  We already forcibly
 redirect all mobile hits over to HTTPS, though we aren't quite yet using
 HSTS to do it.  (See, we're at least trying...)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15763>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list