forum.worldofwarships.ru impossible to log in

[TheFinalCut83]

http://forum.worldofwarships.ru (maybe also .eu, .com and .asia) Firefox 48.0b7, HTTPS Everywhere 5.1.10. Get that message when trying to log in. HTTPS support is partial on that forum, so maybe that's the point. Disabling "World of Warships" in HTTPS Everywhere allows to log in.

[jeremyn]

Here is the worldofwarships rule, for reference.

I don't know if any of the maintainers has a worldofwarships account so you'll need to provide more information, please. Can you translate the error message here? Also, can you show us what output you get in the Chrome Developer Tools Network panel (Ctrl-Shift-I > Network) when you try to log in?

[TheFinalCut83]

Excuse me, initially I hadn't written clearly enough. Message from 1st screenshot appears after clicking "log in" button (top right corner). You don't need to have login on wows forum itself. Besides, I absolutely forgot that wows have regional shards (.com, .eu and .asia). It seems strange, but for asia forum "Log in" button works fine with HTTPS Everywhere and you see login form as it should be. On .eu and .com forums there are same errors as on wows russian forum. It seems that current wows rule doesn't affect .asia domain (<securecookie host="^forum\.worldofwarships\.(?:com|eu|ru)$" name=".+" /> <rule from="^http://forum\.worldofwarships\.(com|eu|ru)/" to="https://forum.worldofwarships.$1/" />) and so "log in" button on .asia forum works great. Interestingly, in Chrome 52 this bug also appears with or without experimental rule (in red frame). Content of HAR-file from network panel after I click "log in" button.

[jeremyn]

Thanks. I can reproduce the problem here just by clicking on Log in in the top right corner.

In the web console I see:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://forum.worldofwarships.com/index.php?s=1edb646ee18161ad94950f2088f602bc&app=core&module=ajax&section=login&do=discover&md5check=880ea6a14ea49e853634fbdc5015a024. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

This is a CORS problem. Here's what I think is happening: when you click Log in, http://forum.worldofwarships.com requests a resource from http://forum.worldofwarships.com. HTTPS Everywhere rewrites the URL so instead it's requesting from https://forum.worldofwarships.com , which is a different site. Unfortunately the response from https doesn't include a Access-Control-Allow-Origin header allowing a remote request, so the request fails and that's the problem.

The fix is one of

• The site owner adds a Access-Control-Allow-Origin header (unlikely), or
• The request comes from https, or
• The request goes to http.

I'm not really sure why this ruleset exists at all. https://forum.worldofwarships.com seems to redirect https to http everywhere. We can probably just disable the ruleset entirely. @fuglede @J0WI what do you think?

[fuglede]

@jeremyn: Yeah, the rule needs to go.

[J0WI]

This has a wildcard on the right, that's bad anyway.

[jeremyn]

I agree, it's not a model rule.

Thanks for the report, @TheFinalCut83 . The change to disable the rule by default has been merged, so I'm closing this issue.