[tbb-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 12 00:30:51 UTC 2018
#21537: Consider ignoring secure cookies for .onion addresses
-------------------------------------------------+-------------------------
Reporter: micah | Owner: tbb-
| team
Type: enhancement | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability, | Actual Points:
TorBrowserTeam201804R, GeorgKoppen201804 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by pospeselr):
Replying to [comment:14 arthuredelstein]:
> Replying to [comment:13 gk]:
> > Replying to [comment:12 pospeselr]:
> > > Change looks good, only thing I'd suggest is moving the block at
3340 a couple lines up before the Telemetry::Accumulate call ( since the
enum seems to be a question of cookie security, rather than http(s) ).
> > >
> > > I also verified the hostURI that's passed in is already normalized,
so we don't have to worry about case insensitive string compare.
> >
> > Thanks. I added the suggested change in `bug_21537_v3`
(https://gitweb.torproject.org/user/gk/tor-
browser.git/log/?h=bug_21537_v3). Let me know if that still looks good.
>
> The code looks good to me, but I would suggest factoring out the
security checks (which are repeated in three places) by creating a static
function like:
> `bool IsSecureHost(nsIURI *aHostURI)`
> that returns true for both https and .onion URIs.
Yeah I'd agree with this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21537#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list