GNOME Bugzilla – Bug 745580
Insecure CSS on blogs.gnome.org
Last modified: 2015-03-04 16:58:29 UTC
Visiting this page: https://blogs.gnome.org/mcatanzaro/2015/03/04/security-and-privacy-roadmap-for-epiphany-and-webkitgtk/ Epiphany displays a security warning, which is more than a little embarrassing as my blog is supposed to be focused on security and privacy. The problem is insecure CSS: The page at https://blogs.gnome.org/mcatanzaro/2015/03/04/security-and-privacy-roadmap-for-epiphany-and-webkitgtk/ ran insecure content from http://blogs.gnome.org/mcatanzaro/wp-content/mu-plugins/bug-links/bug-links.css. The page at https://blogs.gnome.org/mcatanzaro/2015/03/04/security-and-privacy-roadmap-for-epiphany-and-webkitgtk/ ran insecure content from http://blogs.gnome.org/mcatanzaro/2ed2a0138e7654e46fa439cb89097150.css?t=1393049160. This CSS will be blocked in a future version of Epiphany, and it should already be blocked by Internet Explorer, Firefox, and Chrome. It should be loaded via HTTPS or not loaded at all.
I fixed the bug-links plugin on the server: //$css = trailingslashit(get_option('siteurl')) . trailingslashit(substr($blf, strpos($blf, 'wp-content'))) . 'bug-links.css'; $css = plugins_url( 'bug-links.css', __FILE__ ); There's still a (seemingly useless) Cookies for Comments css to http.
Updated the cookies for comments plugin.
Thanks! Note that since the session cookie is evidently being sent with HTTP requests (bug #745579), this made it trivial for a MITM to log in as me, so it's especially good that it's fixed.