https-everywhere icon indicating copy to clipboard operation
https-everywhere copied to clipboard
verified publisher icon EFForg

HTTPS Everywhere/EZProxy interaction causing infinite loops on anu.edu.au

Open ideabucket opened this issue 5 years ago • 0 comments

Type: ruleset/website issue

Domain: anu.edu.au

HTTPS Everywhere causes an infinite redirect loop with the Australian National University’s EZProxy, which as far as I can tell is another manifestation of the securecookie issue described in #10161 and #19287

Example behaviour in Firefox 79 with HTTPS Everywhere v2020.5.20:

The user requests a non-encrypted URL from EZProxy, e.g.:

https://login.virtual.anu.edu.au/login?qurl=http%3A%2F%2Fwww.chronicle.com%2Farticle%2FIts-Not-the-Same-for-Women%2F234535

EZProxy processes the user login and returns a 302 redirect to the proxied URL, e.g.:

HTTP/1.1 302 Moved temporarily
Location: http://www.chronicle.com.virtual.anu.edu.au/article/Its-Not-the-Same-for-Women/234535

However because the EZProxy login cookie is forced secure the browser doesn't include it in the request to the redirected URL, so EZProxy redirects the user back to the login page:

HTTP/1.1 302 Moved temporarily
Location: https://login.virtual.anu.edu.au/login?qurl=http://www.chronicle.com%2farticle%2fIts-Not-the-Same-for-Women%2f234535

…which is secure, and so gets sent the ezproxy cookie, and so redirects the user-agent to the insecure content URL, and round and round and round we go.

This can usually be worked around by URL-hacking the initially requested URL to its HTTPS version if the proxied site supports it, but not all of them do, and EZProxy's behaviour with secure URLs (http://www.chronicle.com is proxied as http://www.chronicle.com.virtual.anu.edu.au but https://www.chronicle.com is proxied as https://www-chronicle-com.virtual.anu.edu.au) means that doesn't always work.

I've taken a look at the ANU.edu.au.xml ruleset file to see if I could test the fix described in #10161 myself, but it’s kind of… terrifying, and I couldn't get HTTPS Everywhere to pick up a modified ruleset in the HTTPSEverywhereUserRules folder.

In theory if I understand the other two issues correctly it should be possible to fix this either by removing virtual.anu.edu.au (the EZProxy server) from the ruleset, or not applying the securecookie rule to the ezproxy, ezproxyn, and ezproxyl cookies. Happy to assist with testing and/or provide HARs of the looping requests.

Thanks!

ideabucket avatar Jul 29 '20 03:07 ideabucket