[tor-bugs] #6980 [EFF-HTTPS Everywhere]: HTTPS Everywhere rules often interfere with Adobe cross-domain policy mechanism

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Sep 26 22:32:36 UTC 2012 

#6980: HTTPS Everywhere rules often interfere with Adobe cross-domain policy
mechanism
----------------------------------+-----------------------------------------
 Reporter:  schoen                |          Owner:  pde
     Type:  defect                |         Status:  new
 Priority:  trivial               |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------
 Adobe Flash Player defines a
 https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
 cross-domain policy file mechanism</a> for preventing cross-domain attacks
 involving Flash. The file is written in XML and placed in
 http://kb2.adobe.com/cps/142/tn_14213.html a file called crossdomain.xml
 at the root of a domain</a>. Current versions of Flash Player will block
 some information flows unless they are explicitly permitted by the cross-
 domain policy file.

 We've had several bugs (usually about video embedding) related to
 rewriting http://www.example.com/crossdomain.xml into
 https://www.example.com/crossdomain.xml.  As I understand it, these bugs
 resulted from either (1) the HTTPS version not existing at all, or (2) the
 HTTPS version having different contents from the HTTP version, resulting
 in the end-user's Flash plugin not learning that a site had intended to
 permit an embedding-related action (and incorrectly blocking the action).

 I don't think Flash Player treats cross-domain policy files loaded over
 HTTPS differently from those loaded over HTTP, and I don't think it
 forbids the files to be loaded over HTTPS, although both of these
 possibilities are worth checking into.

 We would like to have a blanket solution for this category of errors
 (which might still be responsible for a number of our ongoing video
 embedding bugs), or at least a way to identify them quickly with automated
 testing.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6980>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list