Just like the title says, using CloudFront's SSL/HTTPS when trying to view Xtra Points videos breaks the videos and sometimes crashes Flash and/or the browser. Disabling it makes it play, but it takes ages to finally play (I'm not sure why, but I thought I would mention it in case HTTPS Everywhere is causing it, maybe it has something to do with the way the main website and the PowerUp Rewards site communicate). Figgler says the HTTP and HTTPS requests go through the roof.

I can't seem to find anything on my own (I was using the Firefox Developer tools and Figgler4), so I thought I would post an issue and see if anyone else had the issue, knew anything about it, or could offer any technical assistance with the issue. Any and all help or information is appreciated.

Reported via email. Am marking as high-priority.

"""
It appears that version 4.0development.15 no longer loads any user
rulesets, at least in the form in which they worked in previous
versions.

I am aware that this is due to the change to an SQLite-based container
for the built-in rulesets. I did examine the source code enough to
determine that nothing currently calls the getCustomRuleDir() function
defined in HTTPSRules.js.
"""

Someone should take this project; it sounds fun!

The idea is to write a program that parses HTTPS Everywhere rules and detects which ones can be equivalent to HSTS preloads. Seth took a stab at it in utils/simple.py, but it needs some work.

Once we have a list of rules from HTTPS Everywhere that can be used to expand the built-in browser HSTS preload list, there's a couple of awesome things we can try:

• Offer this list as a download to developers writing software/apps that would benefit from STS.
• Since it's impossible to make HTTPS Everywhere for Safari, the next-best thing seems to be adding this list to ~/Library/Cookies/HSTS.plist in Mavericks. This file remembers STS for Safari and possibly other apps as well.
• Perhaps we can completely replace these rules in FF and Chrome by STS preloads so that we use the browsers' built-in STS mechanism for switching domains to HTTPS rather than HTTPS Everywhere's. This might help with performance issues.

Once in the observer for profile-after-change, twice in the observer for nsPref:changed. Since this is an expensive call, we should find a way to make sure it only happens once during startup.

The current ruleset breaks the new video player, not sure what though havent looked, it works when the plugin is disabled though.

[For issue #12, though that's doing pretty well now :) ]

Chome's beta channel now supports declarativeWebRequests: http://developer.chrome.com/extensions/declarativeWebRequest.html

This is a high-performance way to use blocking webRequests without triggering our slow JS code on every request. Plus, it's designed to easily support the declaration of "hundreds of thousands of URLs."

I'll integrate & test, hopefully we can merge after this makes it into stable (M33 at the earliest).

This'll probably work like:

• Keep the current webRequest handler (to catch tabs opening on start)
• Build & invoke the declarativeWebRequest list
• Drop the webRequest handler (removeListener)

Not sure what we want to do here ...

Chrome & its APIs evolved a lot since the original code.

Let's be paranoid and validate HTTPS Everywhere using Wireshark (and maybe write some tiny, manual testcases w/ tcpdump).

We have a domain that we include in newsletters etc which is a CNAME for a third party service that don't provide SSL. As this causes untold issues for users with HTTPS everywhere, am I right in assuming that we can add a rule to prevent this redirection using downgrade?

For example:

 <rule from="^https:\/\/www\.mysite\.com\/(.*)$" to="http://www.mysite.com/$1" downgrade="1" />

Bearing in mind I can't do anything about the non SSL nature of the third party - is this the best approach?

As previously mentioned on the TorProject bug tracker, cookies can be leaked from incognito mode if HTTPS Everywhere is enabled for incognito mode.

The cause was determined on the original bug report, but the problem was never resolved:

Turns out this appears to be an Chrome API bug. We're getting the onCookieChanged event, and the cookie we get in that event has a storeId of 0 regardless of where it comes from (Incognito or not). We then turn right around and set the secure flag on the cookie and issue a cookies.set(cookie). Since the storeId is still the default store, the cookie leaks to normal mode.

This is a severe bug for anybody who enables HTTPS-E for use in incognito mode, as it leaks data from a purportedly private and temporary session into the permanent record of the primary session.

In my opinion, the security risk of leaking cookies is greater than the risk of not setting the secure flag on the cookies, particularly since HTTPS Everywhere already ensures that the cookies will not be transmitted in clear text by redirecting all communications to HTTPS in the first place.

As a stopgap solution, I would recommend detecting if the plugin is operating in incognito mode, and if so, not modifying any cookies. Optionally, a warning could be shown to the user explaining the reduced functionality in incognito mode.

As a longterm solution, either an alternate method for securing cookies should be developed, or the HTTPS Everywhere team should take responsibility for filing a bug report with Google regarding the aforementioned Chrome API bug.

Youtube live streaming broken.

For example this https://www.youtube.com/watch?v=jrZcAsPKK74 error with extention.

The rules for Kikatek.com redirect everything to https://secure.Kikatek.com, which returns a certificate only valid for Kikatek.com and www.Kikatek.com.

I'm using Chrome Stable on Ubuntu Linux 13.10, x86_64. When trying to enable the Stack overflow (Mixed Content) ruleset, I can't login via StackExchange OpenID.
Steps to reproduce that work for me:

• Ensure you're not logged in in StackOverflow and that the ruleset is enabled
• Click the Login Button, click on StackExchange button (I was able to reproduce this with Google login, too)
• Message is shown: "Third Party Cookies Appear To Be Disabled", click on "continue and login manually
• Enter StackExchange credentials and click login button
• You are redirected (via OpenID) to the StackOverflow site. The following error message is shown in bold red :

Unable to log in with your OpenID provider:

The openid.return_to parameter (http://stackoverflow.com/users/authenticate/?s=[.......] does not match the actual URL (https://stackoverflow.com/users/authenticate/?s=[.......]) the request was made with.

(Note: Any query parts were removed to protect me from potential session hijacking, but I'm happy to send you the full error message by E-Mail if neccessary, please use the email listed on Github and my PGP key 1BAA8BBC.)

This issue reproducibly doesn't occur when the StackExchange rule in HTTPS Everywhere is disabled.

The only difference I can spot in the two URLs is that one is HTTP and the other is HTTPS. I think its therefore safe to assume that HTTPS Everywhere kills the OpenID login process by changing the URL scheme

Possible solution: Add http://stackoverflow.com/users/authenticate to blacklist, so HTTPS everywhere leaves this request unencrypted. Maybe it's even possible to encrypt the originally requested URL (I don't know too much about the OpenID internals)?

Thank in advance for reviewing this & for this awesome tool!

The SublimeVideo.xml rule is redirecting https://cdn.sublimevideo.net to https://data.sublimevideo.net. However:

$ curl -sI https://cdn.sublimevideo.net/c/sa/2.2.13/sa.js | head -1
HTTP/1.1 200 OK
$ curl -sI https://data.sublimevideo.net/c/sa/2.2.13/sa.js | head -1
HTTP/1.1 404 Not Found

I only noticed this because it was breaking video embeds in CloudUp (like https://cloudup.com/iNV0ccD2ytL)

tested https-everywhere-3.4.5.xpi and https-everywhere-4.0development.15.xpi

www.pcworld.com is configured according to HTTPS everywhere to use HTTPS. however their server does currently not provide HTTPS

currently HTTPS everywhere & makes it impossible to visit pcworld.com

Cannot view all Rules in https-everywhere-4.0development.15.xpi

Images on XKCD.com are broken in Firefox 28.0 with HTTPS-Everywhere 3.5.

The issue appears to be that the rule to convert http://imgs.xkcd.com to https://sslimgs.xkcd.com/ is altering the protocol, but not the host name. This results in the browser trying to load an image from https://imgs.xkcd.com, but recieving a certificate for *.voxcdn.com

I have attached a screenshot of the issue.

The rule sets "Google Video" and "Google API" seem to break the YouTube history for me. After deactivating them, the history works again.

I think I blamed the wrong end. Sorry.

disable putlocker rule -- breaks streaming

I think there might be a bug lurking in the cookie code, specifically here:
https://github.com/EFForg/https-everywhere/blob/master/chromium/background.js#L325

From the Cookie API (which is pretty clunky): http://developer.chrome.com/extensions/cookies.html#method-set

When setting cookies, specifically the "domain" parameter means: "The domain of the cookie. If omitted, the cookie becomes a host-only cookie."

I think we're (maybe) accidentally stripping the host-only parameter (by never checking it, and always setting a domain), which might duplicate those cookies.

https-everywhere use https to support imgs.xkcd.com, which doesn't support it. This prevents the loading of images on xkcd.com.

Per Firefox's bugzilla, when included in the new panel created by versions of Firefox utilizing Australis, the https everywhere icon pushes the third icon off its row.

For example https://tweakers.net/video/8988/samsungs-15-komma-6-inch-ativ-books.html will not load when the rule "doubleclick.net (testing)" is enabled.

there are 2 rules for warez-bb.org

one is enabled.

other one is disabled.

Titile:- Enabling "Https everywhere" in chrome leads to disappearing grid icon at Google home page

Steps to reproduce:- (Prerequisites are Https everywhere extension is installed in chrome)

1:- Go to Google Homepage before enabling https everywhere and check if Grid icon appears at homepage

2:- Enable "Https everywhere" and check if you still see the grid icon, it disappears

Note:- Refer to screenshots attached.

System Info:-
Windows 7 (Ultimate) -64bit
Google Chrome:- Version 31.0.1650.63 m
Https everywhere:- 2013.10.16

Submitted by:-

Kashif Ahmad
[email protected]
+91-7259582807

The Stack Exchange search page doesn't work with SSL because of the way it pulls in Google results. The team doesn't seem to have any intention of fixing that at this time.

Can we exclude that page from SSL?

Composing a post on Tumblr seems to be broken when HTTPS everywhere is enabled on Chrome. This just started happening today, so I suspect it's an issue with version 2014.4.16. To reproduce (assuming you have a tumblr account):

• Go to http://www.tumblr.com/blog/<your blog>.
• Click "Text" on the big bar with all the buttons.
• Notice that the screen goes dark but no text box appears.

I'm using Chrome 34.0.1847.116 m on Windows 8.1.

[Chrome specific]

I'll be sending a bunch of pull requests over the next few days. Just wanted to open a tracking bug.

HTTPS Everywhere takes an enormous amount of CPU time, which you can see from both the Task Manager and performance profiling in Chrome. The taskbar even on fast machines frequently shows "Waiting for extension HTTPS Everywhere …".

The current performance even makes HTTPS Everywhere borderline unusable on underpowered machines (e.g. some Chromebooks).

http://notepad.cc/chuxupe56

Using Cloudfront ruleset causes duolingo.com to load partially, rendering the website unusable. Screenshots:

https-everywhere "loops" for http://extensions.joomla.org/ - no page result

https://dl.dropboxusercontent.com/s/aikp1alop1freus/pan.baidu.com.xml

To replicate:

1. Install HTTPS-everywhere on chrome 34.0.1847.116 m
2. Go to http://www.twitch.tv/directory/all
3. Page will be grey, with a logo in center.

This started happening after this commit: 8cfd611

https://twitter.com/KoHoSo/status/458418112220508160

Some charakters (eg äöü) are displayed wrong.
Goto Enable / Disable Rules and type "Ã" for an exapmle.

I think the charset should be utf-8.

With HTTPS Everywhere 2014.4.16 installed, visiting speedtest.net results in a page where the actual speed test flash application fails to work, so you get a nice big blank box

Browser: chrome
Example (may be fixed soon though Fixed by using https directly): http://yeoman.io/community-generators.html

Page tries to load http://yeoman-generator-list.herokuapp.com/ which results in: XMLHttpRequest cannot load http://yeoman-generator-list.herokuapp.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://yeoman.io' is therefore not allowed access..

If the page requests the https version directly then it works.

If you've https-everywhere addon enabled, go and click some video here:
https://www.youtube.com/live/all
Then you get an "Stand by" message, however if you disable the rules (Google Api & Youtube partial) you can stream again from youtube.

While trying to implement declarativeWebRequests for issue #132, I noticed Chrome sending some SYNs to port 80 that I don't think should be. I think I missed this earlier having scoped Wireshark to "http" instead of port 80.

Try, e.g. the rule for en.wikipedia.org
https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Wikimedia.xml

tcpdump/Wireshark show a handshake & immediate FIN on port 80:

22:20:21.979130 IP 192.168.1.14.55851 > text-lb.eqiad.wikimedia.org.http: Flags [S], seq 3650291652, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 337177919 ecr 0,sackOK,eol], length 0
22:20:22.024873 IP text-lb.eqiad.wikimedia.org.http > 192.168.1.14.55851: Flags [S.], seq 54350754, ack 3650291653, win 14480, options [mss 1460,sackOK,TS val 4247761202 ecr 337177919,nop,wscale 9], length 0
22:20:22.024940 IP 192.168.1.14.55851 > text-lb.eqiad.wikimedia.org.http: Flags [.], ack 1, win 8235, options [nop,nop,TS val 337177963 ecr 4247761202], length 0
22:20:23.591796 IP text-lb.eqiad.wikimedia.org.http > 192.168.1.14.55851: Flags [S.], seq 54350754, ack 3650291653, win 14480, options [mss 1460,sackOK,TS val 4247761582 ecr 337177963,nop,wscale 9], length 0
22:20:23.591832 IP 192.168.1.14.55851 > text-lb.eqiad.wikimedia.org.http: Flags [.], ack 1, win 8235, options [nop,nop,TS val 337179512 ecr 4247761582], length 0
22:20:28.813958 IP text-lb.eqiad.wikimedia.org.http > 192.168.1.14.55851: Flags [F.], seq 1, ack 1, win 29, options [nop,nop,TS val 4247762883 ecr 337179512], length 0
22:20:28.814002 IP 192.168.1.14.55851 > text-lb.eqiad.wikimedia.org.http: Flags [.], ack 2, win 8235, options [nop,nop,TS val 337184714 ecr 4247762883], length 0

I'm not sure this is a real disclosure (I mean, we make a very similar SYN/ACK on 443), but it's odd.

Opening an issue here, though I may report his at http://crbug.com too (if this isn't our fault).

I have an application that is not https enabled (can provide link privately to developers).

Because herokuapp is providing a piggyback SSL certificate to all apps, HTTPS Everywhere forces a redirect to https. Then, Firefox blocks mixed content and none of the CSS shows up, so the app looks broken.

You might want to consider excluding herokuapp.com, or another rule change.

I did some investigating, turns out HTTPS Everywherre was the culprit...
Only after I disabled forcing HTTPS on Wordpress.com, Chrome stopped crashing.

Please read full details here: https://code.google.com/p/chromium/issues/detail?id=365309

Hi, since a few days is the chrome version (on chrome 34.0.1847.116 for Mac) creating a display bug on Pinterest pages : Pinterest icons and text are hidden. It is also impossible to navigate into Pinterest or log out ! - I have to switch-off https-e until the bug solving.
Best.
PS : Dropr web site is also having a lot of troubles with it's images ..

https://dl.dropboxusercontent.com/s/eb492tr7vwlde80/mozest.xml

Reported via email that rulesets don't work: "Firefox 24.4 ESR and SeaMonkey 2.21 ESR (both on CentOS/RHEL6). Tested on XKCD and 7chan. Both worked on 3.4.5, but not 3.5."

The cloudfront ruleset breaks the webpages of the journals of the american physical society (PRL, PRB, ...), this makes the site unusable, since citations cannot be exported anymore.
Disabling The cloudfront ruleset reverts to the usual layout.

I use iceweasel 27.0 with HTTPS everywhere 3.4.5

In Chrome v34 I tried multiple videos on Ted.com and none worked, I disabled extensions one by one after noticing they played fine in Incognito mode. HTTPS-E was the culprit.

I use latest version of Firefox and latest version of Https-everywhere 3.5
You tube can't work except I disable Https-everywhere
I enable it it stops working
This happens since the new version

We're using an old version: 1.7.2 (August 28th 2012)

There's a stable: 1.11.2 (August 14th 2013)

Could you replace chromium/URI.js with the new one?

https://raw.github.com/medialize/URI.js/gh-pages/src/URI.min.js

[via https://github.com/medialize/URI.js ]

The animated map at forecast.io does not function when HTTPS Everywhere is activated for Amazon Web Services. I don't know if this can be fixed without downgrade.

On visiting guardian.co.uk:

No window associated with request: http://static.guim.co.uk/favicon.ico
No window associated with request: http://static.guim.co.uk/favicon.ico
No window associated with request: https://image.guim.co.uk/favicon.ico
No window associated with request: https://image.guim.co.uk/favicon.ico
No window associated with request: http://10822091.log.optimizely.com/event?a=10822091&d=9797755&y=false&s172123993=none&s172284779=ff&s172368238=direct&s172233718=false&n=http%3A%2F%2Fwww.theguardian.com%2Fus%2Fbusiness&u=oeu1395694294671r0.30166143712792204&wxhr=true&t=1395694315685&f=
No window associated with request: http://10822091.log.optimizely.com/event?a=10822091&d=9797755&y=false&s172123993=none&s172284779=ff&s172368238=direct&s172233718=false&n=http%3A%2F%2Fwww.theguardian.com%2Fus%2Fbusiness&u=oeu1395694294671r0.30166143712792204&wxhr=true&t=1395694315685&f=
No window associated with request: https://10822091.log.optimizely.com/event?a=10822091&d=9797755&y=false&s172123993=none&s172284779=ff&s172368238=direct&s172233718=false&n=http%3A%2F%2Fwww.theguardian.com%2Fus%2Fbusiness&u=oeu1395694294671r0.30166143712792204&wxhr=true&t=1395694315685&f=
No window associated with request: http://www.theguardian.com/us/business?view=mobile
No window associated with request: http://api.nextgen.guardianapps.co.uk/top-stories/trails.json?page-size=10&view=link&_edition=us
No window associated with request: http://www.theguardian.com/us/business?view=mobile

This is probably going to be fixed by using the loadContext interface from the notification callbacks.