| CARVIEW |
Opened 3 years ago
Closed 19 months ago
#6975 closed task (fixed)
Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)
| Reported by: | pde | Owned by: | micahlee |
|---|---|---|---|
| Priority: | Very High | Milestone: | |
| Component: | EFF-HTTPS Everywhere | Version: | |
| Severity: | Keywords: | ||
| Cc: | palmer@…, mmacleod@… | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
Recent versions of Chromium and Chrome have implemented an automatic mechanism to block the loading of insecure HTTP scripts from HTTPS origins. At first there was a loud popup message whenever that happened, but now the only indication in the UI is a small shield in the address bar, which the user can click on to force the insecure scripts to load.
Google has replied "won't fix" to any UX or extension API requests we made about this: https://code.google.com/p/chromium/issues/detail?id=144637
As a result, we are going to need a major push to identify rulesets that break sites in Chrome because of this mechanism, and disable them on that platform. This ticket will track that task.
Child Tickets
| Ticket | Summary | Owner |
|---|---|---|
| #6973 | HTTPS Everywhere for Chrome is preventing CR from loading correctly | pde |
| #7238 | Chrome HTTPS Everywhere makes some iGoogle page widget break | pde |
| #7427 | Problem with the images on www.fmylife.com | pde |
| #7628 | Verizon Wireless site doesn't load correctly | pde |
| #8216 | BBC iPlayer renders weirdly | MB |
| #8563 | Zend Download page broken/Partial content | pde |
| #8566 | Chrome - Wordpress.org support area broken (mixed content) | pde |
| #8569 | Chrome - Dell website broken, mixed content | pde |
| #8584 | Chrome - Apple Support site broken (mixed content) | pde |
| #8738 | Chrome - www.fbi.gov broken (mixed content) | pde |
Change History (10)
comment:2 Changed 3 years ago by pde
- Type changed from defect to task
The Firefox master branch will currently consider rulesets marked platform="mixedcontent" enabled, while other platforms including Chrome will not.
comment:4 Changed 3 years ago by pde
Similar mixed content blocking is landing in Firefox so this is going to be an even higher priority.
MB has been labelling a lot of rulesets as "partial". I doubt this corresponds precisely to mixed content, but I wonder what would happen if we assumed that the "partial" rulesets should all be disabled on Chromium and whatever version of FF the mixed content blocking lands in.
comment:5 Changed 3 years ago by alphawolf
Is there a way to get a list of all the sites for which rules exists? When I have free time, I'd be willing to systematically go through the list and create new tickets for affected sites. Currently I'm just creating tickets as I encounter an issue.
Assuming I did this.. would you want a separate ticket per site, or should I "batch" them?
Would it be useful for me to learn the rule syntax, and perhaps correct them myself and provide a "patch". If so, in what format would you like it? Just a text file with the corrected rule, or an actual "patch" file?
Where does one even *find* the rules in Chrome??
comment:6 Changed 3 years ago by pde
- Summary changed from Disable on Chromium all the rulesets where mixed content breaks things (!) to Tag for Chrome & FF23+ all the rulesets where mixed content breaks things (!)
comment:7 Changed 3 years ago by micahlee
- Owner changed from pde to micahlee
- Status changed from new to assigned
This is basically fixed now because of #9196. We identified 754 rules in the stable branch that caused mixed content errors and marked them as platform="mixedcontent", and did a Firefox update.
I just need to test a new build of the Chromium extension with these same rules and if it looks good make a new release. I believe that this release can finally be the first stable Chromium release.
comment:8 Changed 2 years ago by Wisperbird
Https everywhere prevents FullPage screenshot.
But when you do a Visible Screenshot and disable "Https everywhere" in the resulting page,
then FullPage screenshot will work.
comment:9 Changed 2 years ago by micahlee
Over the summer Lisa Yao, our Google Summer of Code intern, helped write a bunch of code to do automatic ruleset tests to test for mixed content. Originally it was a mozilla-central mochitest, then moved into a standalone Firefox extension, and now finally it's been merged into the HTTPS Everywhere master branch.
I've updated the readme file with how to run the tests:
You can run ruleset tests by opening about:config and changing extensions.https_everywhere.show_ruleset_tests to true. Now when you open the HTTPS Everywhere context menu there will be a "Run HTTPS Everywhere Ruleset Tests" menu item.
When you run the tests, be prepared to let your computer run them for a really long time.
The tests take over your browser by opening a ton of tabs, waiting for them to load, and seeing if the Firefox MCB gets triggered. A lot more work can be done on them, and they can be used to detect a lot more than just mixed content. But that's all they do for now.
comment:10 Changed 19 months ago by jsha
- Resolution set to fixed
- Status changed from assigned to closed
It's been over a year, and most of the rulesets that break under MCB have been tagged. Additional ones will be fixed using the normal ruleset fix process.
We can achieve this by adding platform="firefox" to all of these rulesets. But it's probably a better idea to make a new pseudoplatform, "mixed", for all HTTPS Everywhere ports where mixed content loads.