Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #27280

Closed (moved)
Open
Opened Aug 23, 2018 by cypherpunks@cypherpunks

HTTPS Everywhere upgrade-insecure-header injection appears to be broken on 8.0a9 / 8.0a10

Replying to cypherpunks:

I compared the behavior between 8.0a8 and 8.0a9:

  • Open 8.0a8, and check the "Block all unencrypted requests" in the HTTPS-E popup.

  • Go to a mixedcontent website (go to the github repository efforg/https-everywhere then search for mixedcontent and find recent edited one, here's an example of such a site

  • So open that site up while your browser console is opened, you can see that HTTPS-E injects an upgrade-insecure-requests header and everything is going through HTTPS now including scripts and css etc.


  • Open 8.0a9, and check the "Block all unencrypted requests" in the HTTPS-E popup.

  • Go to the previously mentioned site.

  • There doesn't appear to be any injection of upgrade-insecure-requests header, css broken etc as a result.

This doesn't affect Firefox Nightly 63a1.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#27280