NoScript, Facebook, Forced HTTPS, cookies across sessions

[Panajev]

I have been using Facebook with the force HTTPS option and the secure cookies configured in the following way (never changed them in the past few months):

Force HTTPS: http://www.facebook.com
Never force: apps.facebook.com

Force HTTPS encrypted cookies: *.facebook.com

My issue, which has only begun to show up lately (it might be a change in how facebook deal with cookies [they do a lot of changes and they do them often], but also a change in how NoScript handles them), is best summarized as follows:

I login, click on the "remember me" checkbox facebook offers in their login page... if I close the browser, thus ending the current browsing session, and then I open it again, starting a new session, and load facebook up... I result logged out and I have to login again...

I decided to check for errors popping up as I complete the login procedure and indeed I see one:

Code: Select all

"Error: [Exception... "'NoScript aborted non-HTTPS redirection to http://www.facebook.com/login.php' when calling method: [nsIChannelEventSink::onChannelRedirect]"  nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]"

What do you think?

[Giorgio Maone]

How do you load facebook exactly?
Do you use a bookmark, and if so, is it https or http?

[Panajev]

I'll say this just once... but this feels like the scene in Woody Allen's movie Bananas (considering we both speak Italian, still this forum is international ) .

I connect to facebook without using a bookmark, but just typing this into the Awesome Bar:

https://www.facebook.com/home.php

Just tried it now and it generates the following error:

Code: Select all

Error: [Exception... "'NoScript aborted non-HTTPS redirection to http://www.facebook.com/login.php' when calling method: [nsIChannelEventSink::onChannelRedirect]"  nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

[Giorgio Maone]

That's exceedingly strange.
I've got the same setup as yours (forcing facebook to https) and nothing wrong happen to me.
BTW, that message hints at facebook trying to re-redirecting you back to http, causing a redirect loop.
The only difference I can think about mine and your setup is my browser being localized in en-US (despite the fact I'm Italian).
Might it be Facebook forcing http instead of https for non-submission pages on international customers to save CPU resources (on the bet non-US customers are less security aware)?

[Tom T.]

I'll say this just once... but this feels like the scene in Woody Allen's movie Bananas (considering we both speak Italian, still this forum is international ) .

Your courtesy in using English lets all of the Anglophone world benefit from the knowledge gained by your post, and also all of those non-English-natives who have learned English as a second language that is becoming widespread in financial and trade matters, the Internet, and, of course, programming. Not that I think it's a perfect language -- it sucks, as far as learning easily. But your courtesy is appreciated.

btw, when I have visited non-Anglophone countries whose language I know something of, I try in their language, even if English is fairly widely understood. It seems to be appreciated, no matter how I mangle it. When in Rome, do as the Romans do, and when on an English web site ... Cheers! Cin cin! Salute!

...(on the bet non-US customers are less security aware)?

I think that's a bad bet. Statistics that I've seen are that Fx market share is much higher in Europe than in US. Also, a larger number of not-so-bright people in the US can afford computers. And since MS is a US-based company, Americans are less likely to distrust it. Our own government settled rather quickly on the monopoly issues, while the EU continues the fight, first removing Media Player from Windows bundle, now IE.

[Panajev]

Giorgio, I am currently in the U.S. using an EN-US localized browser on an EN-US localized OS and obviously on an US IP... even though this happened to me in Italy too.

This is my user-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5

(Firefox 3.5 RC2 and I am running Windows 7 RC1 [Build 7100]... this happened also with Firefox 3.0.11 btw)

One correction about my first post in this thread:

Original:

Code: Select all

Force HTTPS: http://www.facebook.com
Never force: apps.facebook.com

Force HTTPS encrypted cookies: *.facebook.com

Revised (actual NoScript configuration):

Code: Select all

Force HTTPS: www.facebook.com
Never force: apps.facebook.com

Force HTTPS encrypted cookies: *.facebook.com

Should I try the * mark in the force HTTPS field... so Force HTTPS: www.facebook.com --> Force HTTPS: *.facebook.com while keeping the never force for apps.facebook.com?

Your courtesy in using English lets all of the Anglophone world benefit from the knowledge gained by your post, and also all of those non-English-natives who have learned English as a second language that is becoming widespread in financial and trade matters, the Internet, and, of course, programming. Not that I think it's a perfect language -- it sucks, as far as learning easily. But your courtesy is appreciated.

Currently English is the current "Lingua Franca" in much of our everyday life (especially in the computer world), plus I like to read it, write it, listen to it, and speak it as much as I can so it does not bother me .

[Giorgio Maone]

This is my Facebook HTTPS setup:
Force:
facebook.com *.facebook.com
Never force
it-it.facebook.com

[Panajev]

Thanks Giorgio, using your Force + Never Force combo as is (in both the HTTPS Behavior and HTTPS Cookies tabs) I am able to close Firefox, re-open it... connect to facebook without having to log back in each time.
I still get the error when I login (I had to do it the first time):

Code: Select all

Error: [Exception... "'NoScript aborted non-HTTPS redirection to http://www.facebook.com/login.php' when calling method: [nsIChannelEventSink::onChannelRedirect]"  nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

I am in Italy at the moment... (same PC as the one I was mentioning in my latest post in this thread)... can that influence things? (oh I forgot to say this... but my Facebook's interface is the EN-US one, not the localized Italian one... I do not know if that can change things...)

[GµårÐïåñ]

Unless Facebook programmers have done some seriously asinine intentional act to refuse international localizations, it should not matter at all really. I am not able to reproduce the issue on my machine, I asked a friend in Hong Kong using both localized and non-localized versions to try, could not reproduce. I asked my cousin in London to try both localized and non-localized, could not reproduce. My cousin in Germany tried both versions and got an error in the non-localized version but not in his localized version. And a fellow programmer in France tried and had no issue with the localized version but ran into trouble with the non-localized version. So it seems from anecdotal evidence that it might be some other configuration somehow asserting itself or possibly another extension. As always, I could be wrong but felt the inclusion of more attempts on various EU/US versions might help, or not.

[Tom T.]

Beware, everyone: Guardian and his international cabal are planning to take over the world. He has agents infiltrated into every country!

[GµårÐïåñ]

Beware, everyone: Guardian and his international cabal are planning to take over the world. He has agents infiltrated into every country!

HA HA smart ass this is the gratitude I get for trying to help

[Tom T.]

HA HA smart ass this is the gratitude I get for trying to help

We used to have a saying: If you want gratitude for your work, go be a fireman.

[GµårÐïåñ]

No thanks necessary here, that's why _I_ became a Marine