[tor-bugs] #9536 [EFF-HTTPS Everywhere]: Doesn't respect CSP policies
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jul 12 17:18:24 UTC 2014
#9536: Doesn't respect CSP policies
--------------------------------------+-----------------
Reporter: Erom2 | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
--------------------------------------+-----------------
Comment (by zyan):
This is enough of an edge case that the "right" solution is probably to
inform the site operator and ask them to add https://cdnjs.cloudflare.com
to the CSP header. Alternative, we could apply the HTTPS Everywhere rules
to CSP headers in an http-on-modify-response header but that would be more
of a project.
We also have this issue with CORS headers. Either Site A or Site B is
rewritten by HTTPS Everywhere, so the CORS header in Site B no longer
allows XHRs from Site A, caushing Site A to break.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9536#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list