Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making the Google API's & CDN websites calls goes with the secured protocols recursively? #5115

Open
nishanthj6 opened this issue Jul 3, 2019 · 4 comments
Open

Making the Google API's & CDN websites calls goes with the secured protocols recursively? #5115

nishanthj6 opened this issue Jul 3, 2019 · 4 comments
Labels
feature/https-everywhere Issues related to the HTTPS Everywhere component of Shields OS/Desktop

Comments

@nishanthj6
Copy link

Description

As I'm trying to make the unsecured hosted server(non-SSL based) that which are coded calling the standard Google API's & CDN websites Thereby, making that connections goes via encrypted.

Steps to Reproduce

For instance say I had included this script below to our hosted server

<style type="text/css">
  @import url(http://fonts.googleapis.com/css?family=Oswald:400,300);
  @import url(http://fonts.googleapis.com/css?family=Open+Sans);
</style>

<section class="divider parallax layer-overlay overlay-deep" data-stellar-background-ratio="0.2"  data-bg-img="http://placehold.it/1920x1280"> ... </section>
<div class="thumb"><img alt="" src="http://placehold.it/270x270" class="img-fullwidth"></div>

<script src="http://maps.google.com/maps/api/js"></script>

By enabling the Connections encrypted feature & thereby, calling the Google API's and some other sites connected with website, it encrypts only the

  1. fonts.googleapis.com, , and
  2. placehold.it
  3. AuthenticationService of Google Map API

Actual result:

https://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate?1shttp%3A%2F%2Fsomedomain.org%2F&5shttp%3A%2F%2Fsomedomain.org%2F&callback=_xdc_._l5b8s4&token=72548

enter image description here

and rest of the following calls mentioned below didn't encrypt at all.

http://maps.google.com/maps/api/js

http://maps.google.com/maps-api-v3/api/js/37/6/common.js

http://maps.google.com/maps-api-v3/api/js/37/6/util.js

Expected result:

The below sites should be encrypted:
http://maps.google.com/maps/api/js

http://maps.google.com/maps-api-v3/api/js/37/6/common.js

http://maps.google.com/maps-api-v3/api/js/37/6/util.js

Reproduces how often: Every time

Brave version (brave://version info)

Brave 0.62.51 Chromium: 73.0.3683.103 (Official Build) (64-bit)
Revision e82a658d8159cabbd4938c1660f9bb00b4a82a23-refs/branch-heads/3683@{#902}
OS Windows 10 OS Build 10586.1176

Version/Channel Information:

  • Can you reproduce this issue with the current release?
    Yes
  • Can you reproduce this issue with the beta channel?
    Don't now
  • Can you reproduce this issue with the dev channel?
    Don't now
  • Can you reproduce this issue with the nightly channel?
    Don't now

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields?
    No
  • Does the issue resolve itself when disabling Brave Rewards?
    No
@rebron
Copy link
Collaborator

rebron commented Jul 5, 2019

cc: @fmarier Can you take a look?

@rebron rebron added the webcompat/not-shields-related Sites are breaking because of something other than Shields. label Jul 5, 2019
fmarier added a commit to fmarier/brave-testing that referenced this issue Jul 5, 2019
@fmarier
Test page for brave/brave-browser#5115
5820c10
@fmarier
Copy link
Member

fmarier commented Jul 5, 2019

I can reproduce using http://fmarier.com/same-site/brave-browser-5115.html:

Screenshot from 2019-07-05 10-45-06

We are making the following HTTP requests even with HTTPS upgrades turned on:

GET http://maps.google.com/maps/api/js
GET http://maps.google.com/maps-api-v3/api/js/37/6/intl/en_gb/common.js
GET http://maps.google.com/maps-api-v3/api/js/37/6/intl/en_gb/util.js

and that's despite the fact that HTTPS Everywhere includes a rule for maps.google.com.

For comparison, on Firefox using the HTTPS Everywhere extension, the requests to maps.google.com are correctly upgraded to HTTPS:

Screenshot from 2019-07-05 10-54-48

@nishanthj6
Copy link
Author

That sounds great.

If there are any browser addons to your knowledge known, when browsing through non-secured version(HTTP) of website goes via encryption only to the calls made by CDN's and Google API???...
Because when you are browsing via Non-secured version(HTTP) of website. The browser extension HTTPS Everywhere disables after clicking Open insecure Page. But tested with SKN SSL Enforcer won't disables & there by making every Google API calls goes via encrypted. Something that might be sufficient but the drawback is we need to manually include rules for other websites

By default, Loading Non-secured version of CDN over HTTPS would give rises error on console

Mixed Content: The page at 'https://somedomain.in' was loaded over HTTPS, but requested an insecure script 'http://code.jquery.com/jquery-migrate-3.0.0.min.js'. This request has been blocked; the content must be served over HTTPS.

@fmarier

@nishanthj6
Copy link
Author

For instance, If we are going to surf for eg.: http://www.memo.tv. The extension doesn't connect to https://www.memo.tv/ with SSL enabled

@fmarier

@fmarier fmarier added feature/https-everywhere Issues related to the HTTPS Everywhere component of Shields and removed webcompat/not-shields-related Sites are breaking because of something other than Shields. labels Jul 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/https-everywhere Issues related to the HTTPS Everywhere component of Shields OS/Desktop
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fmarier @bsclifton @rebron @nishanthj6