Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by cypherpunks@cypherpunks

WebAssign site produces litany of "Security Warning" alerts

VERSION: HTTPS Everywhere 3.0.4 BROWSER: Firefox 17.0 on Windows

While using WebAssign as a logged in user and with HTTPS Everywhere protection enabled, one encounters a "Security Warning" for every click due to what the browser thinks is the submission of an unprotected form from an https-protected webpage. In reality (as verified using firefox's web console), HTTPS Everywhere is indeed converting the http POST link to https, but at a lower level than whatever causes the warning dialog.

I suspect the reason HTTPS Everywhere can't convert the link ahead of time is due to its being generated by javascript such as this:

!javascript:onclick=document.forms[0].clicked.value='31,17';document.forms[0].action.value='roster/view';%20document.forms[0].showAll.value='0';document.forms[0].submit(this);

To reproduce:

  1. Go to the Webassign demo site
  2. Note that this subdomain is not currently covered by the HTTPS Everywhere plugin, but the plugin could easily be extended for both testing and production purposes.
  3. Change the http to https (or have the HTTPS Everywhere do it for you by including demo.webassign.net)
  4. Click on something like "Roster"
  5. See the submission error

Could someone please take a look at this?

Thank you in advance

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information