[tor-bugs] #15763 [EFF-HTTPS Everywhere]: Need whitelist entry for www.fark.com and total.fark.com

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#15763: Need whitelist entry for www.fark.com and total.fark.com
-----------------------------+---------------------------------------------
 Reporter:  bit0mike         |          Owner:
     Type:  defect           |         Status:  new
 Priority:  normal           |      Milestone:  HTTPS-E next Chrome release
Component:  EFF-HTTPS        |        Version:
  Everywhere                 |  Actual Points:
 Keywords:                   |         Points:
Parent ID:                   |
-----------------------------+---------------------------------------------
 Short version: HTTPS Anywhere now breaks many form submissions on
 www.fark.com and total.fark.com, and we need a whitelist rule.

 Longer version: our desktop site's ads cannot load over HTTPS, so we have
 to unfortunately run that site HTTP to avoid mixed-content warnings.
 Google's ad team, and third party ad networks, apparently don't have the
 same urgency as Google's Chrome team when it comes to encouraging HTTPS
 use...

 We do now have a way to pay a small monthly amount to turn ads off yet
 still support the site (!BareFark), and anyone that buys that gets an SSL
 version of the site as a perk, and is forcibly redirected to it if they
 hit it via plaintext. ÂTo make ads work though, we have to push everyone
 else back to the plaintext version.

 Unfortunately, this combined with HTTPS Anywhere breaks our Post-Redirect-
 Get form submission logic. ÂThe POST always goes to HTTPS, caches the form
 variables, then redirects to a GET which then retrieves those variables
 (and clears the cached version to avoid double-submits). ÂHTTPS Anywhere
 then tries to redirect that GET back to an HTTPS version, which causes the
 form variables to be lost and the overall POST to fail. ÂSad trombone.

 Fortunately our mobile ad networks don't have the limitation of being
 HTTP-only, so, we do NOT need a whitelist rule for m.fark.com,
 m.total.fark.com, or our images host img.fark.net. ÂWe already forcibly
 redirect all mobile hits over to HTTPS, though we aren't quite yet using
 HSTS to do it. Â(See, we're at least trying...)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15763>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs