[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #10428 [EFF-HTTPS Everywhere]: Visiting http://awards.tweakers.net logs you out on tweakers.net
#10428: Visiting http://awards.tweakers.net logs you out on tweakers.net
----------------------------------+---------------------
Reporter: cypherpunks | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: httpse-ruleset-bug | Actual Points:
Parent ID: | Points:
----------------------------------+---------------------
The ruleset for *.tweakers.net doesn't enforce https for the subdomain
awards.tweakers.net. Combined with the securecookie rule this causes the
session-id cookie to be overwritten with a new one for a not-logged-in
session.
It probably is best to just be less specific wrt subdomains:
<rule from="^http://([a-z]+\.)?tweakers\.net/"
to="https://$1tweakers.net/"; />
Also the exclusion rule for crossdomain.xml might not be necessary
anymore, but I haven't checked that yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10428>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs