[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5912 [EFF-HTTPS Everywhere]: MyWOT extension breakage



#5912: MyWOT extension breakage
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  pde  
     Type:  defect                |         Status:  new  
 Priority:  normal                |      Milestone:       
Component:  EFF-HTTPS Everywhere  |        Version:       
 Keywords:                        |         Parent:  #3190
   Points:                        |   Actualpoints:       
----------------------------------+-----------------------------------------

Old description:

> Recent changes to the MyWOT ruleset, released in 3.0development.3, are
> reportedly causing breakage in the MyWOT Firefox extension. This is an
> instance of bug #3190.
>
> The available courses of action are:
>
> 1. Wind back the [https://gitweb.torproject.org/https-
> everywhere.git/history/HEAD:/src/chrome/content/rules/MyWOT.xml recent
> changes to the ruleset], although that will presumably leave mywot.com
> vulnerable to lots of attacks such as Firesheep-style cookie hijacking
> that those changes were trying to protect against.
>
> 2. Have the MyWOT extension make all of these requests over HTTPS, in
> which case it will no longer trip over the HTTPS Everywhere redirects.
>
> 3. Have the MyWOT extension listen for the "https-everywhere-uri-rewrite"
> event [https://gitweb.torproject.org/https-
> everywhere.git/blob/HEAD:/src/components/https-everywhere.js#l607 that we
> send]when we rewrite things, and re-start those requests over HTTPS
>
> 4. Disable the MyWOT ruleset altogether.

New description:



--

Comment(by pde):

 Replying to [comment:4 sami]:


 >
 > Are you saying it's not possible for you to rewrite the requests
 transparently, but it would require changes to our add-on instead?

 That's right, unfortunately :(

 We actually just worked with a developer who figured out a way to make XHR
 requests without us breaking them,

 http://lduros.net/posts/https-everywhere-and-xhr-other-add-ons/

 (it may be possible for us to make changes so that something simpler is
 possible, but we aren't sure yet)

 In any case, if this sounds like too much work, we can just remove
 api.mywot.com from the ruleset, especially if you are certain that won't
 leave users worse off.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5912#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs