[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #5585 [EFF-HTTPS Everywhere]: [CHROME] CSS content fails to load when appcache is enabled
#5585: [CHROME] CSS content fails to load when appcache is enabled
----------------------------------+-----------------------------------------
Reporter: cypherpunks | Owner: pde
Type: defect | Status: new
Priority: critical | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by isis):
I'm probably not the most qualified person to do so, but I was curious so
I took a look into this tonight. It seems that this is an issue with
Chrome's handling of the same-origin policy for specified resources in
.appcache files.
From [http://appcachefacts.info appcachefacts]:
Over SSL, all resources in the manifest must respect the same-origin
policy. That is, all
paths must be relative, or point to resources on the same host and port
as the current page.
The exception is Google Chrome, which doesn't follow the specification
in this regard. Over
SSL, Chrome will load resources from different origins so long as they
are still served over
SSL.
It's not documented well, but I think the keyword there is "still".
Because the resources from the appcache are HTTP, and because
HTTPSeverywhere tries to load the font css from google over HTTPS, it
fails. Another problem is that a Chrome extension can remove things via
chrome.browsingData.removeAppcache(), but cannot read the Appcache to
check if something's been cached already with a different protocol.
(Otherwise another "if (newuri)" clause could be added to onBeforeRequest
in background.html to check what protocol was used for the cached
resources.)
Possible Solutions:
* Make a content_script which transforms external CSS requests into
[https://developer.mozilla.org/en/HTTP_access_control CORS requests] which
use the same protocol as the domain that is requesting them, and then have
HTTPSeverywhere talk to the content_script with chrome.tabs.connect().
This would be rather nasty, however, and might significantly effect
pageload times. Also, the
[https://code.google.com/p/fbug/issues/detail?id=3225#c7 Chrome Firebug
Lite devs have been looking into this] too.
* Use [http://stackoverflow.com/questions/7977420/how-can-i-detect-if-a
-chrome-extension-has-been-enabled-after-having-been-disab something like]
[http://code.google.com/chrome/extensions/trunk/storage.html#type-
StorageArea sessionStorage]!['isEnabled'] == 1 to clear the appcache when
HTTPSeverywhere is enabled. This is problematic because it would also
clear the cache when Chrome is restarted, which kind of defeats the
performance benefits of caching.
* Make a match rule for !http://*/*.appcache which says to treat the
parent domain in an "all or nothing" protocol way.
Other things worth noting:
* It seems the [https://drupal.org/node/1176100#comment-5928502 Drupal
developers are having trouble] with this too.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5585#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs