Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS anywhere extension prevents iD from loading on openstreetmap.org #1435

Closed
pnorman opened this issue May 8, 2013 · 8 comments
Closed

HTTPS anywhere extension prevents iD from loading on openstreetmap.org #1435

pnorman opened this issue May 8, 2013 · 8 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@tmcw @jfirebaugh @pde @yardenac @pnorman
@pnorman
Copy link
Contributor

@pnorman pnorman commented May 8, 2013

The OpenStreetMap Wiki ruleset prevents iD from loading on the main page in Firefox. This is browser-specific as it works fine in Chrome with the wiki ruleset enabled.

Upstream bug: https://trac.torproject.org/projects/tor/ticket/8841
@jfirebaugh
Copy link
Member

@jfirebaugh jfirebaugh commented May 10, 2013

Is there anything iD can do to mitigate this?

@tmcw
Copy link
Contributor

@tmcw tmcw commented May 10, 2013

It's easy to turn off https anywhere in this case. Maybe we should have a 'Troubleshooting' guide for things like this?

@pnorman
Copy link
Contributor Author

@pnorman pnorman commented May 10, 2013

I can see a few ways to mitigate this

  • Default to something more sensible than blankness if iD fails to load. If you try P2 without flash you get some kind of error message letting you know something is wrong. The blank window doesn't let you know if it's a browser issue, server issue, or you did something wrong.
  • Build up a troubleshooting guide with common problems, etc
  • See what is causing the problem with Firefox but not Chrome. My guess is some file that one is allowing but the other isn't. We may not be able to fix it and conclude its an extension bug (specifically with the HTTPS anywhere OSM wiki ruleset) but we should know what it is

@pde
Copy link

@pde pde commented May 22, 2013

Hi. I'm one of the HTTPS Everywhere developers. This bug looks fairly mysterious to me, so I think we might have to mitigate it by disabling our OSM wiki ruleset in our next release. This of course will leave OSM accounts completely vulnerable to surveillance, hijacking, cookie theft, etc :(

We do have the following information available for anyone who wants to work on debugging this:

https://www.eff.org/https-everywhere/atlas/domains/openstreetmap.org.html

@pnorman
Copy link
Contributor Author

@pnorman pnorman commented May 23, 2013

I installed firebug and the error I got was

SecurityError: The operation is insecure.
http://www.openstreetmap.org/assets/iD-1d6bb550b040bb8d426e995f36f1e2d1.js
Line 93

Since the ruleset is called OpenStreetMap wiki it probably shouldn't include the OSM website at all regardless of this bug.

If creating a new ruleset for the OSM website it's probably safe to direct /login and /user/new to HTTPS. Although this leaves open some attack vectors it closes off at least one, and I think that would work with iD.

@jfirebaugh jfirebaugh mentioned this issue May 29, 2013
Closed
@jfirebaugh
Copy link
Member

@jfirebaugh jfirebaugh commented Aug 6, 2013

According to https://gitweb.torproject.org/https-everywhere.git/commit/6d45cb17509225cf4f5faa88c903b4a5b18a67d2 the OSM.org rule is now disabled by default. If someone wants to figure out how to fix it and reenable, go for it. Closing here.

@jfirebaugh jfirebaugh closed this Aug 6, 2013
yardenac added a commit to yardenac/https-everywhere that referenced this issue Feb 13, 2014
@yardenac
[OpenStreetMap] enable the main site, except for /edit
d2d98fb 
- the editor was breaking in firefox https://trac.torproject.org/projects/tor/ticket/8841
- rather than fix the bug, OSM seems to be redirecting their editor to port 80 openstreetmap/iD#1435
- no securecookies until that is fixed :/
@yardenac
Copy link

@yardenac yardenac commented Feb 13, 2014

If I go to https://www.openstreetmap.org/edit today, it bumps me back to port 80. Is the server rewriting on purpose to work around this bug? Meanwhile I've submit an https-everywhere patch which just excludes /edit here: EFForg/https-everywhere#158

@pnorman
Copy link
Contributor Author

@pnorman pnorman commented Feb 14, 2014

That's out of scope for iD, as it does it for all editors. /edit is not on HTTPS because it hasn't been tested, and there are almost certainly mixed content issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment