[tor-bugs] #7851 [EFF-HTTPS Everywhere]: XHR requests don't load when rewritten by HTTPS Everywhere (was: Rulesets affecting only XHR requests may not appear in the context menu.)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Aug 24 00:29:51 UTC 2013
#7851: XHR requests don't load when rewritten by HTTPS Everywhere (was: Rulesets
affecting only XHR requests may not appear in the context menu.)
----------------------------------+-----------------------------------------
Reporter: pde | Owner: zyan
Type: defect | Status: assigned
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by zyan):
Oh, this appears to be at-least-sometimes an instance of same-origin
policy violation, since different protocols are considered to be different
origins.
The-Verge.xml in the current development branch is a good example of this:
- A page with a URL pattern like http://www.theverge.com/2013/8/23/4651536
/who-will-be-the-next-microsoft-ceo is excluded, so it doesn't get
redirected to https.
- However, it sends an XHR request to
https://www.theverge.com/comments/load_comments/4415577?t=1377303469517 to
load comments, which does trigger the The Verge rule!
As a result, if HTTPS everywhere is enabled and you go to the http://
page, the comments won't load. However, if you manually type in the
https:// page, the comments load.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7851#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list