-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Use upgrade-insecure-requests to resolve MCB issues #8506
Comments
Ping @Hainish |
For reference, here is a link describing the |
It makes sense for us to set the |
Actually it seems like third-party requests are also upgraded by this directive, so we can't be sure that resources will not be blocked even for trivial rulesets:
|
Ah, I misread the initial comment. Yes, I agree - in HTTP Nowhere mode this should be fine (whether it's a trivial ruleset or not, or whether or not we even have a ruleset for that site). |
<target host="such-a-mixedcontent.host.com" option="upgrade-insecure-requests"> Similar #3343 |
+1 for adding this, it's badly needed, Many sites like jsfiddle are broken with HTTPS Everywhere, esp. when embedded and the user can't rewrite the resources used easily. At the same time, we can't break anything by adding it. It's true that in some cases, the resources can't be loaded by https, so there's no safe solution and the only workaround is to let the user swith to insecure http version of the page easily. These are quite rare for me, I still didn't encounter any, and I hit and solve the MCB issue with HTTPS Everywhere manually quite often. However, while the fix does not work for this corner case, it at least does no damage here, because the https page would not be able to load the http resource due to MCB error anyway. |
@iki if you find that sites are broken, that's a bug in the ruleset. You should report those. |
@iki As an example, suppose a request to |
@jeremyn if things are breaking because of MCB the ruleset should have |
@strugee I don't know what's happening with JSFiddle, hopefully @iki can describe what they are seeing in more detail. I agree that adding |
Just a reminder that this issue is about adding this header in HTTP-Nowhere mode so it wouldn't break more things than it currently is. In the example described by @jeremyn
The image will already fail to load in HTTP-Nowhere mode. |
My issue with this is that an additional header increase indentifiability. This would basically allow websites to find out whether users are using HTTP-Nowhere mode or not. This could potentially be a problem in Tor browser. |
There is no serious defense against browser fingerprinting for an ordinary non-Tor user, so that shouldn't be a concern. For Tor, the advice is to use all defaults partly to fight against fingerprinting, so if all Tor users send the new header, then they are no worse off than without the new header. |
Is there any progress on the basic firefox issue that causes mcb warnings on ressources we already converted to use tls? |
@numismatika What's an example? |
https://forums.askmrrobot.com/ warns about insecure requests from |
@numismatika Thanks, I understand your example. This looks like a Firefox problem, not an HTTPS Everywhere problem. Do you think so too? |
@jeremyn I believe @numismatika was saying it was an upstream issue and was wondering whether there's been progress on it. |
https://bugzilla.mozilla.org/show_bug.cgi?id=878890 appears to be the relevant BMO bug. |
upgrade-insecure-requests is used by "Smart HTTPS" and it seams to be working very well without there being any problems. If there is concern that it may cause problems perhaps, it should be implemented as an experimental option that needs enabling so, it can be tested be for its enabled by default. |
@zero77 No blacklist on Smart HTTPS. |
@ivysrono |
|
@Bisaloo That way if https is not supported any failed https connection attempts will automatically be downgraded, users will only see a delay and nothing else. |
@zero77 In Smart HTTPS, no blacklist for upgrade-insecure-requests to fix issues in cases where a resource is included from a domain that doesn't support https. |
@zero77 For your comment #8506 (comment), particularly
you might find the discussion in issue #8239 |
Any progress on this? If help is needed I am more than happy to contribute some time. |
@justyntemme As far as I know there is no active work on this. We seem agreed that adding upgrade-insecure-requests is fine in If you want to create a pull request adding the functionality I described, go ahead, as long as you understand that there's no guarantee it will be merged. There's almost no chance it will be added unless someone does the work first -- @Hainish / EFF staff need to approve it, and they are almost certainly not going to write it themselves or approve it in advance. |
@jeremyn That sounds completely reasonable. I would not expect anything less of the EFF. I just wanted to make sure nobody was working hard on this before I started devoting time. Thank you. |
FYI, I've filed a PR in #14600. |
From #7435 (comment):
Furthermore, we might be able to do something on mixedcontent rulesets.
The text was updated successfully, but these errors were encountered: