[tbb-commits] [tor-browser] 67/68: Bug 28005: Implement .onion alias urlbar rewrites

gitolite role git at cupani.torproject.org
Tue May 3 17:40:24 UTC 2022


This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch tor-browser-91.9.0esr-11.5-1
in repository tor-browser.

commit c0de4a7d6ea7092d0a60b13d0e11732d29d2b4ca
Author: Alex Catarineu <acat at torproject.org>
AuthorDate: Thu Feb 13 13:24:33 2020 +0100

    Bug 28005: Implement .onion alias urlbar rewrites
    
    A custom HTTPS Everywhere update channel is installed,
    which provides rules for locally redirecting some memorable
    .tor.onion URLs to non-memorable .onion URLs.
    
    When these redirects occur, we also rewrite the URL in the urlbar
    to display the human-memorable hostname instead of the actual
    .onion.
    
    Bug 34196: Update site info URL with the onion name
    
    Bug 40456: Update the SecureDrop HTTPS-Everywhere update channel
    Bug 40478: Onion alias url rewrite is broken
---
 browser/actors/ClickHandlerChild.jsm               |  20 ++
 browser/actors/ClickHandlerParent.jsm              |   1 +
 browser/actors/ContextMenuChild.jsm                |   4 +
 browser/base/content/browser-places.js             |  12 +-
 browser/base/content/browser-siteIdentity.js       |  12 +-
 browser/base/content/browser.js                    |  43 ++++-
 browser/base/content/nsContextMenu.js              |  18 ++
 browser/base/content/pageinfo/pageInfo.js          |   2 +-
 browser/base/content/pageinfo/pageInfo.xhtml       |  10 +
 browser/base/content/pageinfo/security.js          |  17 +-
 browser/base/content/tabbrowser.js                 |   7 +
 browser/base/content/utilityOverlay.js             |  12 ++
 browser/components/BrowserGlue.jsm                 |  29 +++
 .../onionservices/ExtensionMessaging.jsm           |  77 ++++++++
 .../onionservices/HttpsEverywhereControl.jsm       | 162 +++++++++++++++++
 .../components/onionservices/OnionAliasStore.jsm   | 201 +++++++++++++++++++++
 browser/components/onionservices/moz.build         |   6 +
 browser/components/urlbar/UrlbarInput.jsm          |  13 +-
 docshell/base/nsDocShell.cpp                       |  52 ++++++
 docshell/base/nsDocShell.h                         |   6 +
 docshell/base/nsDocShellLoadState.cpp              |   4 +
 docshell/base/nsIDocShell.idl                      |   5 +
 docshell/base/nsIWebNavigation.idl                 |   5 +
 docshell/shistory/SessionHistoryEntry.cpp          |  14 ++
 docshell/shistory/SessionHistoryEntry.h            |   1 +
 docshell/shistory/nsISHEntry.idl                   |   5 +
 docshell/shistory/nsSHEntry.cpp                    |  22 ++-
 docshell/shistory/nsSHEntry.h                      |   1 +
 dom/interfaces/base/nsIBrowser.idl                 |   3 +-
 dom/ipc/BrowserChild.cpp                           |   2 +
 dom/ipc/BrowserParent.cpp                          |   3 +-
 dom/ipc/PBrowser.ipdl                              |   1 +
 modules/libpref/init/StaticPrefList.yaml           |   6 +
 netwerk/dns/effective_tld_names.dat                |   2 +
 netwerk/ipc/DocumentLoadListener.cpp               |  10 +
 toolkit/content/widgets/browser-custom-element.js  |  13 +-
 toolkit/modules/sessionstore/SessionHistory.jsm    |   5 +
 xpcom/reflect/xptinfo/xptinfo.h                    |   3 +-
 38 files changed, 786 insertions(+), 23 deletions(-)

diff --git a/browser/actors/ClickHandlerChild.jsm b/browser/actors/ClickHandlerChild.jsm
index 0f3bf42e2290c..0f0f9330197fd 100644
--- a/browser/actors/ClickHandlerChild.jsm
+++ b/browser/actors/ClickHandlerChild.jsm
@@ -146,6 +146,26 @@ class ClickHandlerChild extends JSWindowActorChild {
       json.originStoragePrincipal = ownerDoc.effectiveStoragePrincipal;
       json.triggeringPrincipal = ownerDoc.nodePrincipal;
 
+      // Check if the link needs to be opened with .tor.onion urlbar rewrites
+      // allowed. Only when the owner doc has onionUrlbarRewritesAllowed = true
+      // and the same origin we should allow this.
+      json.onionUrlbarRewritesAllowed = false;
+      if (this.docShell.onionUrlbarRewritesAllowed) {
+        const sm = Services.scriptSecurityManager;
+        try {
+          let targetURI = Services.io.newURI(href);
+          let isPrivateWin =
+            ownerDoc.nodePrincipal.originAttributes.privateBrowsingId > 0;
+          sm.checkSameOriginURI(
+            docshell.currentDocumentChannel.URI,
+            targetURI,
+            false,
+            isPrivateWin
+          );
+          json.onionUrlbarRewritesAllowed = true;
+        } catch (e) {}
+      }
+
       // If a link element is clicked with middle button, user wants to open
       // the link somewhere rather than pasting clipboard content.  Therefore,
       // when it's clicked with middle button, we should prevent multiple
diff --git a/browser/actors/ClickHandlerParent.jsm b/browser/actors/ClickHandlerParent.jsm
index 89363074ed148..3a5be306be467 100644
--- a/browser/actors/ClickHandlerParent.jsm
+++ b/browser/actors/ClickHandlerParent.jsm
@@ -103,6 +103,7 @@ class ClickHandlerParent extends JSWindowActorParent {
     let params = {
       charset: browser.characterSet,
       referrerInfo: E10SUtils.deserializeReferrerInfo(data.referrerInfo),
+      onionUrlbarRewritesAllowed: data.onionUrlbarRewritesAllowed,
       isContentWindowPrivate: data.isContentWindowPrivate,
       originPrincipal: data.originPrincipal,
       originStoragePrincipal: data.originStoragePrincipal,
diff --git a/browser/actors/ContextMenuChild.jsm b/browser/actors/ContextMenuChild.jsm
index a9521642e4953..dd7809eeb1cad 100644
--- a/browser/actors/ContextMenuChild.jsm
+++ b/browser/actors/ContextMenuChild.jsm
@@ -545,6 +545,9 @@ class ContextMenuChild extends JSWindowActorChild {
       doc.defaultView
     ).getFieldContext(aEvent.composedTarget);
 
+    let parentAllowsOnionUrlbarRewrites = this.docShell
+      .onionUrlbarRewritesAllowed;
+
     let disableSetDesktopBackground = null;
 
     // Media related cache info parent needs for saving
@@ -656,6 +659,7 @@ class ContextMenuChild extends JSWindowActorChild {
       frameID,
       frameBrowsingContextID,
       disableSetDesktopBackground,
+      parentAllowsOnionUrlbarRewrites,
     };
 
     if (context.inFrame && !context.inSrcdocFrame) {
diff --git a/browser/base/content/browser-places.js b/browser/base/content/browser-places.js
index b0c9f6623097a..d90dc636f8db6 100644
--- a/browser/base/content/browser-places.js
+++ b/browser/base/content/browser-places.js
@@ -470,7 +470,8 @@ var PlacesCommandHook = {
    */
   async bookmarkPage() {
     let browser = gBrowser.selectedBrowser;
-    let url = new URL(browser.currentURI.spec);
+    const uri = browser.currentOnionAliasURI || browser.currentURI;
+    let url = new URL(uri.spec);
     let info = await PlacesUtils.bookmarks.fetch({ url });
     let isNewBookmark = !info;
     let showEditUI = !isNewBookmark || StarUI.showForNewBookmarks;
@@ -581,7 +582,7 @@ var PlacesCommandHook = {
 
     tabs.forEach(tab => {
       let browser = tab.linkedBrowser;
-      let uri = browser.currentURI;
+      let uri = browser.currentOnionAliasURI || browser.currentURI;
       let title = browser.contentTitle || tab.label;
       let spec = uri.spec;
       if (!(spec in uniquePages)) {
@@ -1828,14 +1829,17 @@ var BookmarkingUI = {
   },
 
   onLocationChange: function BUI_onLocationChange() {
-    if (this._uri && gBrowser.currentURI.equals(this._uri)) {
+    const uri =
+      gBrowser.selectedBrowser.currentOnionAliasURI || gBrowser.currentURI;
+    if (this._uri && uri.equals(this._uri)) {
       return;
     }
     this.updateStarState();
   },
 
   updateStarState: function BUI_updateStarState() {
-    this._uri = gBrowser.currentURI;
+    this._uri =
+      gBrowser.selectedBrowser.currentOnionAliasURI || gBrowser.currentURI;
     this._itemGuids.clear();
     let guids = new Set();
 
diff --git a/browser/base/content/browser-siteIdentity.js b/browser/base/content/browser-siteIdentity.js
index 6682ae8b096fe..45b992c14fca0 100644
--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@@ -658,13 +658,13 @@ var gIdentityHandler = {
    *        nsIURI for which the identity UI should be displayed, already
    *        processed by createExposableURI.
    */
-  updateIdentity(state, uri) {
+  updateIdentity(state, uri, onionAliasURI) {
     let shouldHidePopup = this._uri && this._uri.spec != uri.spec;
     this._state = state;
 
     // Firstly, populate the state properties required to display the UI. See
     // the documentation of the individual properties for details.
-    this.setURI(uri);
+    this.setURI(uri, onionAliasURI);
     this._secInfo = gBrowser.securityUI.secInfo;
     this._isSecureContext = gBrowser.securityUI.isSecureContext;
 
@@ -687,17 +687,18 @@ var gIdentityHandler = {
    * Attempt to provide proper IDN treatment for host names
    */
   getEffectiveHost() {
+    let uri = this._onionAliasURI || this._uri;
     if (!this._IDNService) {
       this._IDNService = Cc["@mozilla.org/network/idn-service;1"].getService(
         Ci.nsIIDNService
       );
     }
     try {
-      return this._IDNService.convertToDisplayIDN(this._uri.host, {});
+      return this._IDNService.convertToDisplayIDN(uri.host, {});
     } catch (e) {
       // If something goes wrong (e.g. host is an IP address) just fail back
       // to the full domain.
-      return this._uri.host;
+      return uri.host;
     }
   },
 
@@ -1140,11 +1141,12 @@ var gIdentityHandler = {
     this._identityPopupContentVerif.textContent = verifier;
   },
 
-  setURI(uri) {
+  setURI(uri, onionAliasURI) {
     if (uri.schemeIs("view-source")) {
       uri = Services.io.newURI(uri.spec.replace(/^view-source:/i, ""));
     }
     this._uri = uri;
+    this._onionAliasURI = onionAliasURI;
 
     try {
       // Account for file: urls and catch when "" is the value
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index f6621a9a74014..a5a2020b28513 100644
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -81,6 +81,7 @@ XPCOMUtils.defineLazyModuleGetters(this, {
   TelemetryEnvironment: "resource://gre/modules/TelemetryEnvironment.jsm",
   TorConnect: "resource:///modules/TorConnect.jsm",
   Translation: "resource:///modules/translation/TranslationParent.jsm",
+  OnionAliasStore: "resource:///modules/OnionAliasStore.jsm",
   UITour: "resource:///modules/UITour.jsm",
   UpdateUtils: "resource://gre/modules/UpdateUtils.jsm",
   UrlbarInput: "resource:///modules/UrlbarInput.jsm",
@@ -2247,6 +2248,7 @@ var gBrowserInit = {
         //                 [9]: allowInheritPrincipal (bool)
         //                 [10]: csp (nsIContentSecurityPolicy)
         //                 [11]: nsOpenWindowInfo
+        //                 [12]: onionUrlbarRewritesAllowed (bool)
         let userContextId =
           window.arguments[5] != undefined
             ? window.arguments[5]
@@ -2266,7 +2268,8 @@ var gBrowserInit = {
           // TODO fix allowInheritPrincipal to default to false.
           // Default to true unless explicitly set to false because of bug 1475201.
           window.arguments[9] !== false,
-          window.arguments[10]
+          window.arguments[10],
+          window.arguments[12]
         );
         window.focus();
       } else {
@@ -3064,7 +3067,8 @@ function loadURI(
   forceAboutBlankViewerInCurrent,
   triggeringPrincipal,
   allowInheritPrincipal = false,
-  csp = null
+  csp = null,
+  onionUrlbarRewritesAllowed = false
 ) {
   if (!triggeringPrincipal) {
     throw new Error("Must load with a triggering Principal");
@@ -3082,6 +3086,7 @@ function loadURI(
       csp,
       forceAboutBlankViewerInCurrent,
       allowInheritPrincipal,
+      onionUrlbarRewritesAllowed,
     });
   } catch (e) {
     Cu.reportError(e);
@@ -5208,11 +5213,24 @@ var XULBrowserWindow = {
       this.reloadCommand.removeAttribute("disabled");
     }
 
+    // The onion memorable alias needs to be used in gURLBar.setURI, but also in
+    // other parts of the code (like the bookmarks UI), so we save it.
+    if (gBrowser.selectedBrowser.onionUrlbarRewritesAllowed) {
+      gBrowser.selectedBrowser.currentOnionAliasURI = OnionAliasStore.getShortURI(
+        aLocationURI
+      );
+    } else {
+      gBrowser.selectedBrowser.currentOnionAliasURI = null;
+    }
+
     // We want to update the popup visibility if we received this notification
     // via simulated locationchange events such as switching between tabs, however
     // if this is a document navigation then PopupNotifications will be updated
     // via TabsProgressListener.onLocationChange and we do not want it called twice
-    gURLBar.setURI(aLocationURI, aIsSimulated);
+    gURLBar.setURI(
+      gBrowser.selectedBrowser.currentOnionAliasURI || aLocationURI,
+      aIsSimulated
+    );
 
     BookmarkingUI.onLocationChange();
     // If we've actually changed document, update the toolbar visibility.
@@ -5435,6 +5453,7 @@ var XULBrowserWindow = {
     // Don't need to do anything if the data we use to update the UI hasn't
     // changed
     let uri = gBrowser.currentURI;
+    let onionAliasURI = gBrowser.selectedBrowser.currentOnionAliasURI;
     let spec = uri.spec;
     let isSecureContext = gBrowser.securityUI.isSecureContext;
     if (
@@ -5458,7 +5477,7 @@ var XULBrowserWindow = {
     try {
       uri = Services.io.createExposableURI(uri);
     } catch (e) {}
-    gIdentityHandler.updateIdentity(this._state, uri);
+    gIdentityHandler.updateIdentity(this._state, uri, onionAliasURI);
   },
 
   // simulate all change notifications after switching tabs
@@ -6967,6 +6986,21 @@ function handleLinkClick(event, href, linkNode) {
     return true;
   }
 
+  // Check if the link needs to be opened with .tor.onion urlbar rewrites
+  // allowed. Only when the owner doc has onionUrlbarRewritesAllowed = true
+  // and the same origin we should allow this.
+  let persistOnionUrlbarRewritesAllowedInChildTab = false;
+  if (where == "tab" && gBrowser.docShell.onionUrlbarRewritesAllowed) {
+    const sm = Services.scriptSecurityManager;
+    try {
+      let tURI = makeURI(href);
+      let isPrivateWin =
+        doc.nodePrincipal.originAttributes.privateBrowsingId > 0;
+      sm.checkSameOriginURI(doc.documentURIObject, tURI, false, isPrivateWin);
+      persistOnionUrlbarRewritesAllowedInChildTab = true;
+    } catch (e) {}
+  }
+
   let frameID = WebNavigationFrames.getFrameId(doc.defaultView);
 
   urlSecurityCheck(href, doc.nodePrincipal);
@@ -6978,6 +7012,7 @@ function handleLinkClick(event, href, linkNode) {
     triggeringPrincipal: doc.nodePrincipal,
     csp: doc.csp,
     frameID,
+    onionUrlbarRewritesAllowed: persistOnionUrlbarRewritesAllowedInChildTab,
   };
 
   // The new tab/window must use the same userContextId
diff --git a/browser/base/content/nsContextMenu.js b/browser/base/content/nsContextMenu.js
index 1ff16ffbab9f1..e96df23142f86 100644
--- a/browser/base/content/nsContextMenu.js
+++ b/browser/base/content/nsContextMenu.js
@@ -58,6 +58,7 @@ function openContextMenu(aMessage, aBrowser, aActor) {
     selectionInfo: data.selectionInfo,
     disableSetDesktopBackground: data.disableSetDesktopBackground,
     loginFillInfo: data.loginFillInfo,
+    parentAllowsOnionUrlbarRewrites: data.parentAllowsOnionUrlbarRewrites,
     userContextId: data.userContextId,
     webExtContextData: data.webExtContextData,
     cookieJarSettings: E10SUtils.deserializeCookieJarSettings(
@@ -1197,6 +1198,7 @@ class nsContextMenu {
       triggeringPrincipal: this.principal,
       csp: this.csp,
       frameID: this.contentData.frameID,
+      onionUrlbarRewritesAllowed: false,
     };
     for (let p in extra) {
       params[p] = extra[p];
@@ -1220,6 +1222,22 @@ class nsContextMenu {
     }
 
     params.referrerInfo = referrerInfo;
+
+    // Check if the link needs to be opened with .tor.onion urlbar rewrites
+    // allowed. Only when parent has onionUrlbarRewritesAllowed = true
+    // and the same origin we should allow this.
+    if (this.contentData.parentAllowsOnionUrlbarRewrites) {
+      let referrerURI = this.contentData.documentURIObject;
+      const sm = Services.scriptSecurityManager;
+      try {
+        let targetURI = this.linkURI;
+        let isPrivateWin =
+          this.browser.contentPrincipal.originAttributes.privateBrowsingId > 0;
+        sm.checkSameOriginURI(referrerURI, targetURI, false, isPrivateWin);
+        params.onionUrlbarRewritesAllowed = true;
+      } catch (e) {}
+    }
+
     return params;
   }
 
diff --git a/browser/base/content/pageinfo/pageInfo.js b/browser/base/content/pageinfo/pageInfo.js
index cd02b73bd0c76..dd1a4a90fedf8 100644
--- a/browser/base/content/pageinfo/pageInfo.js
+++ b/browser/base/content/pageinfo/pageInfo.js
@@ -398,7 +398,7 @@ async function onNonMediaPageInfoLoad(browser, pageInfoData, imageInfo) {
     );
   }
   onLoadPermission(uri, principal);
-  securityOnLoad(uri, windowInfo);
+  securityOnLoad(uri, windowInfo, browser.currentOnionAliasURI);
 }
 
 function resetPageInfo(args) {
diff --git a/browser/base/content/pageinfo/pageInfo.xhtml b/browser/base/content/pageinfo/pageInfo.xhtml
index f40ffd3778d8c..a23f2bb5748c6 100644
--- a/browser/base/content/pageinfo/pageInfo.xhtml
+++ b/browser/base/content/pageinfo/pageInfo.xhtml
@@ -312,6 +312,16 @@
               <input id="security-identity-domain-value" readonly="readonly"/>
             </td>
           </tr>
+          <!-- Onion Alias -->
+          <tr id="security-view-identity-onionalias-row">
+            <th>
+              <xul:label id="security-view-identity-onionalias"
+                     control="security-view-identity-onionalias-value"/>
+            </th>
+            <td>
+              <input id="security-view-identity-onionalias-value" readonly="true"/>
+            </td>
+          </tr>
           <!-- Owner -->
           <tr>
             <th>
diff --git a/browser/base/content/pageinfo/security.js b/browser/base/content/pageinfo/security.js
index 8d10c8df814c4..2e22f4670503d 100644
--- a/browser/base/content/pageinfo/security.js
+++ b/browser/base/content/pageinfo/security.js
@@ -248,7 +248,7 @@ var security = {
   },
 };
 
-async function securityOnLoad(uri, windowInfo) {
+async function securityOnLoad(uri, windowInfo, onionAliasURI) {
   await security.init(uri, windowInfo);
 
   let info = security.securityInfo;
@@ -261,6 +261,21 @@ async function securityOnLoad(uri, windowInfo) {
   }
   document.getElementById("securityTab").hidden = false;
 
+  if (onionAliasURI) {
+    setText(
+      "security-view-identity-onionalias",
+      gTorButtonBundle.GetStringFromName("pageInfo_OnionName")
+    );
+    setText("security-view-identity-onionalias-value", onionAliasURI.host);
+    document.getElementById(
+      "security-view-identity-onionalias-row"
+    ).hidden = false;
+  } else {
+    document.getElementById(
+      "security-view-identity-onionalias-row"
+    ).hidden = true;
+  }
+
   /* Set Identity section text */
   setText("security-identity-domain-value", windowInfo.hostName);
 
diff --git a/browser/base/content/tabbrowser.js b/browser/base/content/tabbrowser.js
index e47c81541bfab..520fea7cc3457 100644
--- a/browser/base/content/tabbrowser.js
+++ b/browser/base/content/tabbrowser.js
@@ -1635,6 +1635,7 @@
       var aFromExternal;
       var aRelatedToCurrent;
       var aAllowInheritPrincipal;
+      var aOnionUrlbarRewritesAllowed;
       var aSkipAnimation;
       var aForceNotRemote;
       var aPreferredRemoteType;
@@ -1664,6 +1665,7 @@
         aFromExternal = params.fromExternal;
         aRelatedToCurrent = params.relatedToCurrent;
         aAllowInheritPrincipal = !!params.allowInheritPrincipal;
+        aOnionUrlbarRewritesAllowed = params.onionUrlbarRewritesAllowed;
         aSkipAnimation = params.skipAnimation;
         aForceNotRemote = params.forceNotRemote;
         aPreferredRemoteType = params.preferredRemoteType;
@@ -1704,6 +1706,7 @@
         fromExternal: aFromExternal,
         relatedToCurrent: aRelatedToCurrent,
         skipAnimation: aSkipAnimation,
+        onionUrlbarRewritesAllowed: aOnionUrlbarRewritesAllowed,
         forceNotRemote: aForceNotRemote,
         createLazyBrowser: aCreateLazyBrowser,
         preferredRemoteType: aPreferredRemoteType,
@@ -2536,6 +2539,7 @@
       aURI,
       {
         allowInheritPrincipal,
+        onionUrlbarRewritesAllowed,
         allowThirdPartyFixup,
         bulkOrderedOpen,
         charset,
@@ -2877,6 +2881,9 @@
             // lands.
             flags |= Ci.nsIWebNavigation.LOAD_FLAGS_FIRST_LOAD;
           }
+          if (onionUrlbarRewritesAllowed) {
+            flags |= Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES;
+          }
           if (!allowInheritPrincipal) {
             flags |= Ci.nsIWebNavigation.LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL;
           }
diff --git a/browser/base/content/utilityOverlay.js b/browser/base/content/utilityOverlay.js
index a95717544b80f..4926885cca3bd 100644
--- a/browser/base/content/utilityOverlay.js
+++ b/browser/base/content/utilityOverlay.js
@@ -303,6 +303,7 @@ function openLinkIn(url, where, params) {
     : new ReferrerInfo(Ci.nsIReferrerInfo.EMPTY, true, null);
   var aRelatedToCurrent = params.relatedToCurrent;
   var aAllowInheritPrincipal = !!params.allowInheritPrincipal;
+  var aOnionUrlbarRewritesAllowed = params.onionUrlbarRewritesAllowed;
   var aForceAllowDataURI = params.forceAllowDataURI;
   var aInBackground = params.inBackground;
   var aInitiatingDoc = params.initiatingDoc;
@@ -419,6 +420,11 @@ function openLinkIn(url, where, params) {
     ].createInstance(Ci.nsISupportsPRBool);
     allowThirdPartyFixupSupports.data = aAllowThirdPartyFixup;
 
+    var onionUrlbarRewritesAllowed = Cc[
+      "@mozilla.org/supports-PRBool;1"
+    ].createInstance(Ci.nsISupportsPRBool);
+    onionUrlbarRewritesAllowed.data = aOnionUrlbarRewritesAllowed;
+
     var userContextIdSupports = Cc[
       "@mozilla.org/supports-PRUint32;1"
     ].createInstance(Ci.nsISupportsPRUint32);
@@ -435,6 +441,8 @@ function openLinkIn(url, where, params) {
     sa.appendElement(aTriggeringPrincipal);
     sa.appendElement(null); // allowInheritPrincipal
     sa.appendElement(aCsp);
+    sa.appendElement(null); // nsOpenWindowInfo
+    sa.appendElement(onionUrlbarRewritesAllowed);
 
     const sourceWindow = w || window;
     let win;
@@ -552,6 +560,9 @@ function openLinkIn(url, where, params) {
       if (aForceAllowDataURI) {
         flags |= Ci.nsIWebNavigation.LOAD_FLAGS_FORCE_ALLOW_DATA_URI;
       }
+      if (aOnionUrlbarRewritesAllowed) {
+        flags |= Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES;
+      }
 
       let { URI_INHERITS_SECURITY_CONTEXT } = Ci.nsIProtocolHandler;
       if (
@@ -598,6 +609,7 @@ function openLinkIn(url, where, params) {
         allowThirdPartyFixup: aAllowThirdPartyFixup,
         relatedToCurrent: aRelatedToCurrent,
         skipAnimation: aSkipTabAnimation,
+        onionUrlbarRewritesAllowed: aOnionUrlbarRewritesAllowed,
         userContextId: aUserContextId,
         originPrincipal: aPrincipal,
         originStoragePrincipal: aStoragePrincipal,
diff --git a/browser/components/BrowserGlue.jsm b/browser/components/BrowserGlue.jsm
index 16e067c363b2f..51e027aa9e2d5 100644
--- a/browser/components/BrowserGlue.jsm
+++ b/browser/components/BrowserGlue.jsm
@@ -85,6 +85,7 @@ XPCOMUtils.defineLazyModuleGetters(this, {
   TabUnloader: "resource:///modules/TabUnloader.jsm",
   TelemetryUtils: "resource://gre/modules/TelemetryUtils.jsm",
   TRRRacer: "resource:///modules/TRRPerformance.jsm",
+  OnionAliasStore: "resource:///modules/OnionAliasStore.jsm",
   UIState: "resource://services-sync/UIState.jsm",
   UrlbarQuickSuggest: "resource:///modules/UrlbarQuickSuggest.jsm",
   UrlbarPrefs: "resource:///modules/UrlbarPrefs.jsm",
@@ -2015,6 +2016,7 @@ BrowserGlue.prototype = {
     Normandy.uninit();
     RFPHelper.uninit();
     ASRouterNewTabHook.destroy();
+    OnionAliasStore.uninit();
   },
 
   // Set up a listener to enable/disable the screenshots extension
@@ -2519,6 +2521,33 @@ BrowserGlue.prototype = {
         },
       },
 
+      {
+        task: () => {
+          const { TorConnect, TorConnectTopics } = ChromeUtils.import(
+            "resource:///modules/TorConnect.jsm"
+          );
+          if (!TorConnect.shouldShowTorConnect) {
+            // we will take this path when the user is using the legacy tor launcher or
+            // when Tor Browser didn't launch its own tor.
+            OnionAliasStore.init();
+          } else {
+            // this path is taken when using about:torconnect, we wait to init
+            // after we are bootstrapped and connected to tor
+            const topic = TorConnectTopics.BootstrapComplete;
+            let bootstrapObserver = {
+              observe(aSubject, aTopic, aData) {
+                if (aTopic === topic) {
+                  OnionAliasStore.init();
+                  // we only need to init once, so remove ourselves as an obvserver
+                  Services.obs.removeObserver(this, topic);
+                }
+              }
+            };
+            Services.obs.addObserver(bootstrapObserver, topic);
+          }
+        },
+      },
+
       {
         task: () => {
           Blocklist.loadBlocklistAsync();
diff --git a/browser/components/onionservices/ExtensionMessaging.jsm b/browser/components/onionservices/ExtensionMessaging.jsm
new file mode 100644
index 0000000000000..c93b8c6edf85b
--- /dev/null
+++ b/browser/components/onionservices/ExtensionMessaging.jsm
@@ -0,0 +1,77 @@
+// Copyright (c) 2020, The Tor Project, Inc.
+
+"use strict";
+
+const EXPORTED_SYMBOLS = ["ExtensionMessaging"];
+
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { ExtensionUtils } = ChromeUtils.import(
+  "resource://gre/modules/ExtensionUtils.jsm"
+);
+const { MessageChannel } = ChromeUtils.import(
+  "resource://gre/modules/MessageChannel.jsm"
+);
+const { AddonManager } = ChromeUtils.import(
+  "resource://gre/modules/AddonManager.jsm"
+);
+
+const { XPCOMUtils } = ChromeUtils.import(
+  "resource://gre/modules/XPCOMUtils.jsm"
+);
+
+XPCOMUtils.defineLazyModuleGetters(this, {
+  ExtensionParent: "resource://gre/modules/ExtensionParent.jsm",
+});
+
+class ExtensionMessaging {
+  constructor() {
+    this._callback = null;
+    this._handlers = new Map();
+    this._messageManager = Services.cpmm;
+  }
+
+  async sendMessage(message, extensionId) {
+    const addon = await AddonManager.getAddonByID(extensionId);
+    if (!addon) {
+      throw new Error(`extension '${extensionId} does not exist`);
+    }
+    await addon.startupPromise;
+
+    const { torSendExtensionMessage } = ExtensionParent;
+    return torSendExtensionMessage(extensionId, message);
+  }
+
+  unload() {
+    if (this._callback) {
+      this._handlers.clear();
+      this._messageManager.removeMessageListener(
+        "MessageChannel:Response",
+        this._callback
+      );
+      this._callback = null;
+    }
+  }
+
+  _onMessage({ data }) {
+    const channelId = data.messageName;
+    if (this._handlers.has(channelId)) {
+      const { resolve, reject } = this._handlers.get(channelId);
+      this._handlers.delete(channelId);
+      if (data.error) {
+        reject(new Error(data.error.message));
+      } else {
+        resolve(data.value);
+      }
+    }
+  }
+
+  _init() {
+    if (this._callback === null) {
+      this._callback = this._onMessage.bind(this);
+      this._messageManager.addMessageListener(
+        "MessageChannel:Response",
+        this._callback
+      );
+    }
+  }
+}
diff --git a/browser/components/onionservices/HttpsEverywhereControl.jsm b/browser/components/onionservices/HttpsEverywhereControl.jsm
new file mode 100644
index 0000000000000..d673de4cd6e57
--- /dev/null
+++ b/browser/components/onionservices/HttpsEverywhereControl.jsm
@@ -0,0 +1,162 @@
+// Copyright (c) 2020, The Tor Project, Inc.
+
+"use strict";
+
+const EXPORTED_SYMBOLS = ["HttpsEverywhereControl"];
+
+const { ExtensionMessaging } = ChromeUtils.import(
+  "resource:///modules/ExtensionMessaging.jsm"
+);
+const { setTimeout } = ChromeUtils.import("resource://gre/modules/Timer.jsm");
+
+const EXTENSION_ID = "https-everywhere-eff at eff.org";
+const SECUREDROP_TOR_ONION_CHANNEL_2020 = {
+  name: "SecureDropTorOnion",
+  jwk: {
+    kty: "RSA",
+    e: "AQAB",
+    n:
+      "p10BbUVc5Xj2S_-MH3bACNBaISo_r9e3PVPyTTjsGsdg2qSXvqUO42fBtpFAy0zUzIGS83v4JjiRdvKJaZTIvbC8AcpymzdsTqujMm8RPTSy3hO_8mXzGa4DEsIB1uNLnUWRBKXvSGCmT9kFyxhTpkYqokNBzafVihTU34tN2Md1xFHnmZGqfYtPtbJLWAa5Z1M11EyR4lIyUxIiPTV9t1XstDbWr3iS83REJrGEFmjG1-BAgx8_lDUTa41799N2yYEhgZud7bL0M3ei8s5OERjiion5uANkUV3-s2QqUZjiVA-XR_HizXjciaUWNd683KqekpNOZ_0STh_UGwpcwU-KwG07QyiCrLrRpz8S_vH8CqGrrcWY3GSzYe9dp34jJdO65oA-G8tK6fMXtvTCFDZI6oNNaXJH71F5J0YbqO2ZqwKYc2WSi0gKVl2wd9roOVjaBmkJqvocntYuNM7t38fDEWHn5KUkmrTbi [...]
+  },
+  update_path_prefix: "https://securedrop.org/https-everywhere/",
+  scope:
+    "^https?:\\/\\/[a-z0-9-]+(?:\\.[a-z0-9-]+)*\\.securedrop\\.tor\\.onion\\/",
+  replaces_default_rulesets: false,
+};
+
+const SECUREDROP_TOR_ONION_CHANNEL = {
+  name: "SecureDropTorOnion2021",
+  jwk: {
+    kty: "RSA",
+    e: "AQAB",
+    n:
+      "vsC7BNafkRe8Uh1DUgCkv6RbPQMdJgAKKnWdSqQd7tQzU1mXfmo_k1Py_2MYMZXOWmqSZ9iwIYkykZYywJ2VyMGve4byj1sLn6YQoOkG8g5Z3V4y0S2RpEfmYumNjTzfq8nxtLnwjaYd4sCUd5wa0SzeLrpRQuXo2bF3QuUF2xcbLJloxX1MmlsMMCdBc-qGNonLJ7bpn_JuyXlDWy1Fkeyw1qgjiOdiRIbMC1x302zgzX6dSrBrNB8Cpsh-vCE0ZjUo8M9caEv06F6QbYmdGJHM0ZZY34OHMSNdf-_qUKIV_SuxuSuFE99tkAeWnbWpyI1V-xhVo1sc7NzChP8ci2TdPvI3_0JyAuCvL6zIFqJUJkZibEUghhg6F09-oNJKpy7rhUJq7zZyLXJsvuXnn0gnIxfjRvMcDfZAKUVMZKRdw7fwWzwQril4Ib0MQOVda9vb_4JMk7Gup-TUI4sfuS4NKwsnKoODIO-2U [...]
+  },
+  update_path_prefix: "https://securedrop.org/https-everywhere-2021/",
+  scope:
+    "^https?:\\/\\/[a-z0-9-]+(?:\\.[a-z0-9-]+)*\\.securedrop\\.tor\\.onion\\/",
+  replaces_default_rulesets: false,
+};
+
+class HttpsEverywhereControl {
+  constructor() {
+    this._extensionMessaging = null;
+    this._init();
+  }
+
+  async _sendMessage(type, object) {
+    return this._extensionMessaging.sendMessage(
+      {
+        type,
+        object,
+      },
+      EXTENSION_ID
+    );
+  }
+
+  static async wait(seconds = 1) {
+    return new Promise(resolve => setTimeout(resolve, seconds * 1000));
+  }
+
+  /**
+   * Installs the .tor.onion update channel in https-everywhere
+   */
+  async installTorOnionUpdateChannel(retries = 5) {
+
+    // TODO: https-everywhere store is initialized asynchronously, so sending a message
+    // immediately results in a `store.get is undefined` error.
+    // For now, let's wait a bit and retry a few times if there is an error, but perhaps
+    // we could suggest https-everywhere to send a message when that happens and listen
+    // for that here.
+    await HttpsEverywhereControl.wait();
+
+    try {
+      // Delete the previous channel signing key, and add the new one below.
+      await this._sendMessage(
+        "delete_update_channel",
+        SECUREDROP_TOR_ONION_CHANNEL_2020.name
+      );
+    } catch (e) {
+      if (retries <= 0) {
+        throw new Error("Could not uninstall SecureDropTorOnion update channel");
+      }
+      await this.installTorOnionUpdateChannel(retries - 1);
+      return;
+    }
+
+    try {
+      // TODO: we may want a way to "lock" this update channel, so that it cannot be modified
+      // by the user via UI, but I think this is not possible at the time of writing via
+      // the existing messages in https-everywhere.
+      await this._sendMessage(
+        "create_update_channel",
+        SECUREDROP_TOR_ONION_CHANNEL.name
+      );
+    } catch (e) {
+      if (retries <= 0) {
+        throw new Error("Could not install SecureDropTorOnion update channel");
+      }
+      await this.installTorOnionUpdateChannel(retries - 1);
+      return;
+    }
+
+    await this._sendMessage(
+      "update_update_channel",
+      SECUREDROP_TOR_ONION_CHANNEL
+    );
+  }
+
+  /**
+   * Returns the .tor.onion rulesets available in https-everywhere
+   */
+  async getTorOnionRules() {
+    return this._sendMessage("get_simple_rules_ending_with", ".tor.onion");
+  }
+
+  /**
+   * Returns the timestamp of the last .tor.onion update channel update.
+   */
+  async getRulesetTimestamp() {
+    const rulesets = await this._sendMessage("get_update_channel_timestamps");
+    const securedrop =
+      rulesets &&
+      rulesets.find(([{ name }]) => name === SECUREDROP_TOR_ONION_CHANNEL.name);
+    if (securedrop) {
+      const [
+        updateChannel, // This has the same structure as SECUREDROP_TOR_ONION_CHANNEL
+        lastUpdatedTimestamp, // An integer, 0 if the update channel was never updated
+      ] = securedrop;
+      void updateChannel; // Ignore eslint unused warning for ruleset
+      return lastUpdatedTimestamp;
+    }
+    return null;
+  }
+
+  unload() {
+    if (this._extensionMessaging) {
+      this._extensionMessaging.unload();
+      this._extensionMessaging = null;
+    }
+  }
+
+  _init() {
+    if (!this._extensionMessaging) {
+      this._extensionMessaging = new ExtensionMessaging();
+    }
+
+    // update all of the existing https-everywhere channels
+    setTimeout(async () => {
+      let pinnedChannels = await this._sendMessage("get_pinned_update_channels");
+      for(let channel of pinnedChannels.update_channels) {
+        this._sendMessage("update_update_channel", channel);
+      }
+
+      let storedChannels = await this._sendMessage("get_stored_update_channels");
+      for(let channel of storedChannels.update_channels) {
+        this._sendMessage("update_update_channel", channel);
+      }
+    }, 0);
+
+
+  }
+}
diff --git a/browser/components/onionservices/OnionAliasStore.jsm b/browser/components/onionservices/OnionAliasStore.jsm
new file mode 100644
index 0000000000000..66cf569227bf7
--- /dev/null
+++ b/browser/components/onionservices/OnionAliasStore.jsm
@@ -0,0 +1,201 @@
+// Copyright (c) 2020, The Tor Project, Inc.
+
+"use strict";
+
+const EXPORTED_SYMBOLS = ["OnionAliasStore"];
+
+const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const { XPCOMUtils } = ChromeUtils.import(
+  "resource://gre/modules/XPCOMUtils.jsm"
+);
+const { setTimeout, clearTimeout } = ChromeUtils.import(
+  "resource://gre/modules/Timer.jsm"
+);
+const { HttpsEverywhereControl } = ChromeUtils.import(
+  "resource:///modules/HttpsEverywhereControl.jsm"
+);
+
+// Logger adapted from CustomizableUI.jsm
+const kPrefOnionAliasDebug = "browser.onionalias.debug";
+XPCOMUtils.defineLazyPreferenceGetter(
+  this,
+  "gDebuggingEnabled",
+  kPrefOnionAliasDebug,
+  false,
+  (pref, oldVal, newVal) => {
+    if (typeof log != "undefined") {
+      log.maxLogLevel = newVal ? "all" : "log";
+    }
+  }
+);
+XPCOMUtils.defineLazyGetter(this, "log", () => {
+  let scope = {};
+  ChromeUtils.import("resource://gre/modules/Console.jsm", scope);
+  let consoleOptions = {
+    maxLogLevel: gDebuggingEnabled ? "all" : "log",
+    prefix: "OnionAlias",
+  };
+  return new scope.ConsoleAPI(consoleOptions);
+});
+
+function observe(topic, callback) {
+  let observer = {
+    observe(aSubject, aTopic, aData) {
+      if (topic === aTopic) {
+        callback(aSubject, aData);
+      }
+    },
+  };
+  Services.obs.addObserver(observer, topic);
+  return () => Services.obs.removeObserver(observer, topic);
+}
+
+class _OnionAliasStore {
+  static get RULESET_CHECK_INTERVAL() {
+    return 1000 * 60; // 1 minute
+  }
+
+  static get RULESET_CHECK_INTERVAL_FAST() {
+    return 1000 * 5; // 5 seconds
+  }
+
+  constructor() {
+    this._onionMap = new Map();
+    this._rulesetTimeout = null;
+    this._removeObserver = () => {};
+    this._canLoadRules = false;
+    this._rulesetTimestamp = null;
+    this._updateChannelInstalled = false;
+  }
+
+  async _periodicRulesetCheck() {
+    // TODO: it would probably be preferable to listen to some message broadcasted by
+    // the https-everywhere extension when some update channel is updated, instead of
+    // polling every N seconds.
+    log.debug("Checking for new rules");
+    const ts = await this.httpsEverywhereControl.getRulesetTimestamp();
+    log.debug(
+      `Found ruleset timestamp ${ts}, current is ${this._rulesetTimestamp}`
+    );
+    if (ts !== this._rulesetTimestamp) {
+      this._rulesetTimestamp = ts;
+      log.debug("New rules found, updating");
+      // We clear the mappings even if we cannot load the rules from https-everywhere,
+      // since we cannot be sure if the stored mappings are correct anymore.
+      this._clear();
+      if (this._canLoadRules) {
+        await this._loadRules();
+      }
+    }
+    // If the timestamp is 0, that means the update channel was not yet updated, so
+    // we schedule a check soon.
+    this._rulesetTimeout = setTimeout(
+      () => this._periodicRulesetCheck(),
+      ts === 0
+        ? _OnionAliasStore.RULESET_CHECK_INTERVAL_FAST
+        : _OnionAliasStore.RULESET_CHECK_INTERVAL
+    );
+  }
+
+  async init() {
+    this.httpsEverywhereControl = new HttpsEverywhereControl();
+
+    // Setup .tor.onion rule loading.
+    // The http observer is a fallback, and is removed in _loadRules() as soon as we are able
+    // to load some rules from HTTPS Everywhere.
+    this._loadHttpObserver();
+    try {
+      await this.httpsEverywhereControl.installTorOnionUpdateChannel();
+      this._updateChannelInstalled = true;
+      await this.httpsEverywhereControl.getTorOnionRules();
+      this._canLoadRules = true;
+    } catch (e) {
+      // Loading rules did not work, probably because "get_simple_rules_ending_with" is not yet
+      // working in https-everywhere. Use an http observer as a fallback for learning the rules.
+      log.debug(`Could not load rules: ${e.message}`);
+    }
+
+    // Setup checker for https-everywhere ruleset updates
+    if (this._updateChannelInstalled) {
+      this._periodicRulesetCheck();
+    }
+  }
+
+  /**
+   * Loads the .tor.onion mappings from https-everywhere.
+   */
+  async _loadRules() {
+    const rules = await this.httpsEverywhereControl.getTorOnionRules();
+    // Remove http observer if we are able to load some rules directly.
+    if (rules.length) {
+      this._removeObserver();
+      this._removeObserver = () => {};
+    }
+    this._clear();
+    log.debug(`Loading ${rules.length} rules`, rules);
+    for (const rule of rules) {
+      // Here we are trusting that the securedrop ruleset follows some conventions so that we can
+      // assume there is a host mapping from `rule.host` to the hostname of the URL in `rule.to`.
+      try {
+        const url = new URL(rule.to);
+        const shortHost = rule.host;
+        const longHost = url.hostname;
+        this._addMapping(shortHost, longHost);
+      } catch (e) {
+        log.error("Could not process rule:", rule);
+      }
+    }
+  }
+
+  /**
+   * Loads a http observer to listen for local redirects for populating
+   * the .tor.onion -> .onion mappings. Should only be used if we cannot ask https-everywhere
+   * directly for the mappings.
+   */
+  _loadHttpObserver() {
+    this._removeObserver = observe("http-on-before-connect", channel => {
+      if (
+        channel.isMainDocumentChannel &&
+        channel.originalURI.host.endsWith(".tor.onion")
+      ) {
+        this._addMapping(channel.originalURI.host, channel.URI.host);
+      }
+    });
+  }
+
+  uninit() {
+    this._clear();
+    this._removeObserver();
+    this._removeObserver = () => {};
+    if (this.httpsEverywhereControl) {
+      this.httpsEverywhereControl.unload();
+      delete this.httpsEverywhereControl;
+    }
+    clearTimeout(this._rulesetTimeout);
+    this._rulesetTimeout = null;
+    this._rulesetTimestamp = null;
+  }
+
+  _clear() {
+    this._onionMap.clear();
+  }
+
+  _addMapping(shortOnionHost, longOnionHost) {
+    this._onionMap.set(longOnionHost, shortOnionHost);
+  }
+
+  getShortURI(onionURI) {
+    if (
+      (onionURI.schemeIs("http") || onionURI.schemeIs("https")) &&
+      this._onionMap.has(onionURI.host)
+    ) {
+      return onionURI
+        .mutate()
+        .setHost(this._onionMap.get(onionURI.host))
+        .finalize();
+    }
+    return null;
+  }
+}
+
+let OnionAliasStore = new _OnionAliasStore();
diff --git a/browser/components/onionservices/moz.build b/browser/components/onionservices/moz.build
index 2661ad7cb9f3d..8156853220244 100644
--- a/browser/components/onionservices/moz.build
+++ b/browser/components/onionservices/moz.build
@@ -1 +1,7 @@
 JAR_MANIFESTS += ["jar.mn"]
+
+EXTRA_JS_MODULES += [
+    "ExtensionMessaging.jsm",
+    "HttpsEverywhereControl.jsm",
+    "OnionAliasStore.jsm",
+]
diff --git a/browser/components/urlbar/UrlbarInput.jsm b/browser/components/urlbar/UrlbarInput.jsm
index db83e09109bf2..29ee12914719b 100644
--- a/browser/components/urlbar/UrlbarInput.jsm
+++ b/browser/components/urlbar/UrlbarInput.jsm
@@ -359,7 +359,10 @@ class UrlbarInput {
     // user makes the input empty, switches tabs, and switches back, we want the
     // URI to become visible again so the user knows what URI they're viewing.
     if (value === null || (!value && dueToTabSwitch)) {
-      uri = uri || this.window.gBrowser.currentURI;
+      uri =
+        uri ||
+        this.window.gBrowser.selectedBrowser.currentOnionAliasURI ||
+        this.window.gBrowser.currentURI;
       // Strip off usernames and passwords for the location bar
       try {
         uri = Services.io.createExposableURI(uri);
@@ -2129,7 +2132,13 @@ class UrlbarInput {
     }
 
     let uri;
-    if (this.getAttribute("pageproxystate") == "valid") {
+    // When we rewrite .onion to an alias, gBrowser.currentURI will be different than
+    // the URI displayed in the urlbar. We need to use the urlbar value to copy the
+    // alias instead of the actual .onion URI that is loaded.
+    if (
+      this.getAttribute("pageproxystate") == "valid" &&
+      !this.window.gBrowser.selectedBrowser.currentOnionAliasURI
+    ) {
       uri = this.window.gBrowser.currentURI;
     } else {
       // The value could be:
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index d8a059910a0f9..0632b6fac2598 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -5766,6 +5766,10 @@ void nsDocShell::OnRedirectStateChange(nsIChannel* aOldChannel,
     return;
   }
 
+  if (!mOnionUrlbarRewritesAllowed && IsTorOnionRedirect(oldURI, newURI)) {
+    mOnionUrlbarRewritesAllowed = true;
+  }
+
   // DocumentChannel adds redirect chain to global history in the parent
   // process. The redirect chain can't be queried from the content process, so
   // there's no need to update global history here.
@@ -9187,6 +9191,20 @@ static bool NavigationShouldTakeFocus(nsDocShell* aDocShell,
   return !Preferences::GetBool("browser.tabs.loadDivertedInBackground", false);
 }
 
+/* static */
+bool nsDocShell::IsTorOnionRedirect(nsIURI* aOldURI, nsIURI* aNewURI) {
+  nsAutoCString oldHost;
+  nsAutoCString newHost;
+  if (aOldURI && aNewURI && NS_SUCCEEDED(aOldURI->GetHost(oldHost)) &&
+      StringEndsWith(oldHost, ".tor.onion"_ns) &&
+      NS_SUCCEEDED(aNewURI->GetHost(newHost)) &&
+      StringEndsWith(newHost, ".onion"_ns) &&
+      !StringEndsWith(newHost, ".tor.onion"_ns)) {
+    return true;
+  }
+  return false;
+}
+
 nsresult nsDocShell::InternalLoad(nsDocShellLoadState* aLoadState,
                                   Maybe<uint32_t> aCacheKey) {
   MOZ_ASSERT(aLoadState, "need a load state!");
@@ -9340,6 +9358,30 @@ nsresult nsDocShell::InternalLoad(nsDocShellLoadState* aLoadState,
 
   mAllowKeywordFixup = aLoadState->HasInternalLoadFlags(
       INTERNAL_LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP);
+
+  if (mOnionUrlbarRewritesAllowed) {
+    mOnionUrlbarRewritesAllowed = false;
+    nsCOMPtr<nsIURI> referrer;
+    nsIReferrerInfo* referrerInfo = aLoadState->GetReferrerInfo();
+    if (referrerInfo) {
+      referrerInfo->GetOriginalReferrer(getter_AddRefs(referrer));
+      bool isPrivateWin = false;
+      Document* doc = GetDocument();
+      if (doc) {
+        isPrivateWin =
+            doc->NodePrincipal()->OriginAttributesRef().mPrivateBrowsingId > 0;
+        nsCOMPtr<nsIScriptSecurityManager> secMan =
+            do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+        mOnionUrlbarRewritesAllowed =
+            secMan && NS_SUCCEEDED(secMan->CheckSameOriginURI(
+                          aLoadState->URI(), referrer, false, isPrivateWin));
+      }
+    }
+  }
+  mOnionUrlbarRewritesAllowed =
+      mOnionUrlbarRewritesAllowed ||
+      aLoadState->HasInternalLoadFlags(INTERNAL_LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES);
+
   mURIResultedInDocument = false;  // reset the clock...
 
   // See if this is actually a load between two history entries for the same
@@ -11762,6 +11804,7 @@ nsresult nsDocShell::AddToSessionHistory(
                 HistoryID(), GetCreatedDynamically(), originalURI,
                 resultPrincipalURI, loadReplace, referrerInfo, srcdoc,
                 srcdocEntry, baseURI, saveLayoutState, expired, userActivation);
+  entry->SetOnionUrlbarRewritesAllowed(mOnionUrlbarRewritesAllowed);
 
   if (mBrowsingContext->IsTop() && GetSessionHistory()) {
     bool shouldPersist = ShouldAddToSessionHistory(aURI, aChannel);
@@ -13692,3 +13735,12 @@ void nsDocShell::MaybeDisconnectChildListenersOnPageHide() {
     mChannelToDisconnectOnPageHide = 0;
   }
 }
+
+NS_IMETHODIMP
+nsDocShell::GetOnionUrlbarRewritesAllowed(bool* aOnionUrlbarRewritesAllowed) {
+  NS_ENSURE_ARG(aOnionUrlbarRewritesAllowed);
+  *aOnionUrlbarRewritesAllowed =
+      StaticPrefs::browser_urlbar_onionRewrites_enabled() &&
+      mOnionUrlbarRewritesAllowed;
+  return NS_OK;
+}
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index 1b06af5c84e5c..adbbf38ef2775 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -134,6 +134,9 @@ class nsDocShell final : public nsDocLoader,
 
     // Whether the load should go through LoadURIDelegate.
     INTERNAL_LOAD_FLAGS_BYPASS_LOAD_URI_DELEGATE = 0x2000,
+
+    // Whether rewriting the urlbar to a short .onion alias is allowed.
+    INTERNAL_LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES = 0x4000,
   };
 
   // Event type dispatched by RestorePresentation
@@ -568,6 +571,8 @@ class nsDocShell final : public nsDocLoader,
 
   virtual void DestroyChildren() override;
 
+  static bool IsTorOnionRedirect(nsIURI* aOldURI, nsIURI* aNewURI);
+
   // Overridden from nsDocLoader, this provides more information than the
   // normal OnStateChange with flags STATE_REDIRECTING
   virtual void OnRedirectStateChange(nsIChannel* aOldChannel,
@@ -1265,6 +1270,7 @@ class nsDocShell final : public nsDocLoader,
   bool mCSSErrorReportingEnabled : 1;
   bool mAllowAuth : 1;
   bool mAllowKeywordFixup : 1;
+  bool mOnionUrlbarRewritesAllowed : 1;
   bool mDisableMetaRefreshWhenInactive : 1;
   bool mIsAppTab : 1;
   bool mDeviceSizeIsPageSize : 1;
diff --git a/docshell/base/nsDocShellLoadState.cpp b/docshell/base/nsDocShellLoadState.cpp
index 6cac48a517283..9eb0e9307113e 100644
--- a/docshell/base/nsDocShellLoadState.cpp
+++ b/docshell/base/nsDocShellLoadState.cpp
@@ -874,6 +874,10 @@ void nsDocShellLoadState::CalculateLoadURIFlags() {
     mInternalLoadFlags |= nsDocShell::INTERNAL_LOAD_FLAGS_FIRST_LOAD;
   }
 
+  if (mLoadFlags & nsIWebNavigation::LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES) {
+    mInternalLoadFlags |= nsDocShell::INTERNAL_LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES;
+  }
+
   if (mLoadFlags & nsIWebNavigation::LOAD_FLAGS_BYPASS_CLASSIFIER) {
     mInternalLoadFlags |= nsDocShell::INTERNAL_LOAD_FLAGS_BYPASS_CLASSIFIER;
   }
diff --git a/docshell/base/nsIDocShell.idl b/docshell/base/nsIDocShell.idl
index 352b70d120305..bd373c54a6327 100644
--- a/docshell/base/nsIDocShell.idl
+++ b/docshell/base/nsIDocShell.idl
@@ -838,4 +838,9 @@ interface nsIDocShell : nsIDocShellTreeItem
    * until session history state is moved into the parent process.
    */
   void persistLayoutHistoryState();
+
+  /**
+   * Whether rewriting the urlbar to a short .onion alias is allowed.
+   */
+  [infallible] readonly attribute boolean onionUrlbarRewritesAllowed;
 };
diff --git a/docshell/base/nsIWebNavigation.idl b/docshell/base/nsIWebNavigation.idl
index bec4f13d8b2b2..2ee46f3d68869 100644
--- a/docshell/base/nsIWebNavigation.idl
+++ b/docshell/base/nsIWebNavigation.idl
@@ -268,6 +268,11 @@ interface nsIWebNavigation : nsISupports
    */
   const unsigned long LOAD_FLAGS_USER_ACTIVATION = 0x8000000;
 
+  /**
+   * Allow rewriting the urlbar to a short .onion alias.
+   */
+  const unsigned long LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES = 0x10000000;
+
   /**
    * Loads a given URI.  This will give priority to loading the requested URI
    * in the object implementing this interface.  If it can't be loaded here
diff --git a/docshell/shistory/SessionHistoryEntry.cpp b/docshell/shistory/SessionHistoryEntry.cpp
index 509955485108e..3a882dd1ffe79 100644
--- a/docshell/shistory/SessionHistoryEntry.cpp
+++ b/docshell/shistory/SessionHistoryEntry.cpp
@@ -934,6 +934,20 @@ SessionHistoryEntry::SetPersist(bool aPersist) {
   return NS_OK;
 }
 
+NS_IMETHODIMP
+SessionHistoryEntry::GetOnionUrlbarRewritesAllowed(
+    bool* aOnionUrlbarRewritesAllowed) {
+  *aOnionUrlbarRewritesAllowed = mInfo->mOnionUrlbarRewritesAllowed;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+SessionHistoryEntry::SetOnionUrlbarRewritesAllowed(
+    bool aOnionUrlbarRewritesAllowed) {
+  mInfo->mOnionUrlbarRewritesAllowed = aOnionUrlbarRewritesAllowed;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 SessionHistoryEntry::GetScrollPosition(int32_t* aX, int32_t* aY) {
   *aX = mInfo->mScrollPositionX;
diff --git a/docshell/shistory/SessionHistoryEntry.h b/docshell/shistory/SessionHistoryEntry.h
index 2fa195cf3b8f0..8f7e6f3193e97 100644
--- a/docshell/shistory/SessionHistoryEntry.h
+++ b/docshell/shistory/SessionHistoryEntry.h
@@ -170,6 +170,7 @@ class SessionHistoryInfo {
   bool mPersist = true;
   bool mHasUserInteraction = false;
   bool mHasUserActivation = false;
+  bool mOnionUrlbarRewritesAllowed = false;
 
   union SharedState {
     SharedState();
diff --git a/docshell/shistory/nsISHEntry.idl b/docshell/shistory/nsISHEntry.idl
index 73ac40551d4e4..622402456d076 100644
--- a/docshell/shistory/nsISHEntry.idl
+++ b/docshell/shistory/nsISHEntry.idl
@@ -260,6 +260,11 @@ interface nsISHEntry : nsISupports
      */
     [infallible] attribute boolean persist;
 
+    /**
+     * Whether rewriting the urlbar to a short .onion alias is allowed.
+     */
+    [infallible] attribute boolean onionUrlbarRewritesAllowed;
+
     /**
      * Set/Get the visual viewport scroll position if session history is
      * changed through anchor navigation or pushState.
diff --git a/docshell/shistory/nsSHEntry.cpp b/docshell/shistory/nsSHEntry.cpp
index 1e4000eacd2bc..41ea6086df8b4 100644
--- a/docshell/shistory/nsSHEntry.cpp
+++ b/docshell/shistory/nsSHEntry.cpp
@@ -44,7 +44,8 @@ nsSHEntry::nsSHEntry()
       mLoadedInThisProcess(false),
       mPersist(true),
       mHasUserInteraction(false),
-      mHasUserActivation(false) {}
+      mHasUserActivation(false),
+      mOnionUrlbarRewritesAllowed(false) {}
 
 nsSHEntry::nsSHEntry(const nsSHEntry& aOther)
     : mShared(aOther.mShared),
@@ -72,7 +73,8 @@ nsSHEntry::nsSHEntry(const nsSHEntry& aOther)
       mLoadedInThisProcess(aOther.mLoadedInThisProcess),
       mPersist(aOther.mPersist),
       mHasUserInteraction(false),
-      mHasUserActivation(aOther.mHasUserActivation) {}
+      mHasUserActivation(aOther.mHasUserActivation),
+      mOnionUrlbarRewritesAllowed(aOther.mOnionUrlbarRewritesAllowed) {}
 
 nsSHEntry::~nsSHEntry() {
   // Null out the mParent pointers on all our kids.
@@ -880,6 +882,18 @@ nsSHEntry::SetPersist(bool aPersist) {
   return NS_OK;
 }
 
+NS_IMETHODIMP
+nsSHEntry::GetOnionUrlbarRewritesAllowed(bool* aOnionUrlbarRewritesAllowed) {
+  *aOnionUrlbarRewritesAllowed = mOnionUrlbarRewritesAllowed;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsSHEntry::SetOnionUrlbarRewritesAllowed(bool aOnionUrlbarRewritesAllowed) {
+  mOnionUrlbarRewritesAllowed = aOnionUrlbarRewritesAllowed;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsSHEntry::CreateLoadInfo(nsDocShellLoadState** aLoadState) {
   nsCOMPtr<nsIURI> uri = GetURI();
@@ -929,6 +943,10 @@ nsSHEntry::CreateLoadInfo(nsDocShellLoadState** aLoadState) {
   } else {
     srcdoc = VoidString();
   }
+  if (GetOnionUrlbarRewritesAllowed()) {
+    flags |= nsDocShell::InternalLoad::
+        INTERNAL_LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES;
+  }
   loadState->SetSrcdocData(srcdoc);
   loadState->SetBaseURI(baseURI);
   loadState->SetInternalLoadFlags(flags);
diff --git a/docshell/shistory/nsSHEntry.h b/docshell/shistory/nsSHEntry.h
index 326b0092cf940..76be0ac650505 100644
--- a/docshell/shistory/nsSHEntry.h
+++ b/docshell/shistory/nsSHEntry.h
@@ -66,6 +66,7 @@ class nsSHEntry : public nsISHEntry {
   bool mPersist;
   bool mHasUserInteraction;
   bool mHasUserActivation;
+  bool mOnionUrlbarRewritesAllowed;
 };
 
 #endif /* nsSHEntry_h */
diff --git a/dom/interfaces/base/nsIBrowser.idl b/dom/interfaces/base/nsIBrowser.idl
index 973a9244b8f8b..b8a25de3629e1 100644
--- a/dom/interfaces/base/nsIBrowser.idl
+++ b/dom/interfaces/base/nsIBrowser.idl
@@ -127,7 +127,8 @@ interface nsIBrowser : nsISupports
                                in boolean aIsSynthetic,
                                in boolean aHasRequestContextID,
                                in uint64_t aRequestContextID,
-                               in AString aContentType);
+                               in AString aContentType,
+                               in boolean aOnionUrlbarRewritesAllowed);
 
   /**
    * Determine what process switching behavior this browser element should have.
diff --git a/dom/ipc/BrowserChild.cpp b/dom/ipc/BrowserChild.cpp
index 9f1bccda2efef..bb368b38c5f42 100644
--- a/dom/ipc/BrowserChild.cpp
+++ b/dom/ipc/BrowserChild.cpp
@@ -3714,6 +3714,8 @@ NS_IMETHODIMP BrowserChild::OnLocationChange(nsIWebProgress* aWebProgress,
 
     locationChangeData->mayEnableCharacterEncodingMenu() =
         docShell->GetMayEnableCharacterEncodingMenu();
+    locationChangeData->onionUrlbarRewritesAllowed() =
+        docShell->GetOnionUrlbarRewritesAllowed();
 
     locationChangeData->contentPrincipal() = document->NodePrincipal();
     locationChangeData->contentPartitionedPrincipal() =
diff --git a/dom/ipc/BrowserParent.cpp b/dom/ipc/BrowserParent.cpp
index 4145111ae8490..10f94926a53ef 100644
--- a/dom/ipc/BrowserParent.cpp
+++ b/dom/ipc/BrowserParent.cpp
@@ -2788,7 +2788,8 @@ mozilla::ipc::IPCResult BrowserParent::RecvOnLocationChange(
           aLocationChangeData->isSyntheticDocument(),
           aLocationChangeData->requestContextID().isSome(),
           aLocationChangeData->requestContextID().valueOr(0),
-          aLocationChangeData->contentType());
+          aLocationChangeData->contentType(),
+          aLocationChangeData->onionUrlbarRewritesAllowed());
     }
   }
 
diff --git a/dom/ipc/PBrowser.ipdl b/dom/ipc/PBrowser.ipdl
index 5706c7f5da003..5b21a809251e5 100644
--- a/dom/ipc/PBrowser.ipdl
+++ b/dom/ipc/PBrowser.ipdl
@@ -143,6 +143,7 @@ struct WebProgressLocationChangeData
   bool isNavigating;
   bool isSyntheticDocument;
   bool mayEnableCharacterEncodingMenu;
+  bool onionUrlbarRewritesAllowed;
   nsString contentType;
   nsString title;
   nsString charset;
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
index 3f578a7d37bc1..96796d1be1859 100644
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -1338,6 +1338,12 @@
   value: true
   mirror: always
 
+  # Whether rewriting the urlbar to a short .onion alias is allowed.
+- name: browser.urlbar.onionRewrites.enabled
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
 - name: browser.viewport.desktopWidth
   type: RelaxedAtomicInt32
   value: 980
diff --git a/netwerk/dns/effective_tld_names.dat b/netwerk/dns/effective_tld_names.dat
index 4c0c6e9a98695..bdad4efc7f99b 100644
--- a/netwerk/dns/effective_tld_names.dat
+++ b/netwerk/dns/effective_tld_names.dat
@@ -5527,6 +5527,8 @@ pro.om
 
 // onion : https://tools.ietf.org/html/rfc7686
 onion
+tor.onion
+securedrop.tor.onion
 
 // org : https://en.wikipedia.org/wiki/.org
 org
diff --git a/netwerk/ipc/DocumentLoadListener.cpp b/netwerk/ipc/DocumentLoadListener.cpp
index 0b460750971a0..d76a14e1203af 100644
--- a/netwerk/ipc/DocumentLoadListener.cpp
+++ b/netwerk/ipc/DocumentLoadListener.cpp
@@ -2539,6 +2539,16 @@ DocumentLoadListener::AsyncOnChannelRedirect(
        "mHaveVisibleRedirect=%c",
        this, mHaveVisibleRedirect ? 'T' : 'F'));
 
+  // Like the code above for allowing mixed content, we need to check this here
+  // in case the redirect is not handled in the docshell.
+  nsCOMPtr<nsIURI> oldURI, newURI;
+  aOldChannel->GetURI(getter_AddRefs(oldURI));
+  aNewChannel->GetURI(getter_AddRefs(newURI));
+  if (nsDocShell::IsTorOnionRedirect(oldURI, newURI)) {
+    mLoadStateInternalLoadFlags |=
+        nsDocShell::INTERNAL_LOAD_FLAGS_ALLOW_ONION_URLBAR_REWRITES;
+  }
+
   // We need the original URI of the current channel to use to open the real
   // channel in the content process. Unfortunately we overwrite the original
   // uri of the new channel with the original pre-redirect URI, so grab
diff --git a/toolkit/content/widgets/browser-custom-element.js b/toolkit/content/widgets/browser-custom-element.js
index 59a7a5b435229..8120ca995103a 100644
--- a/toolkit/content/widgets/browser-custom-element.js
+++ b/toolkit/content/widgets/browser-custom-element.js
@@ -255,6 +255,8 @@
 
       this._mayEnableCharacterEncodingMenu = null;
 
+      this._onionUrlbarRewritesAllowed = false;
+
       this._contentPrincipal = null;
 
       this._contentPartitionedPrincipal = null;
@@ -583,6 +585,12 @@
       }
     }
 
+    get onionUrlbarRewritesAllowed() {
+      return this.isRemoteBrowser
+        ? this._onionUrlbarRewritesAllowed
+        : this.docShell.onionUrlbarRewritesAllowed;
+    }
+
     get contentPrincipal() {
       return this.isRemoteBrowser
         ? this._contentPrincipal
@@ -1112,7 +1120,8 @@
       aIsSynthetic,
       aHaveRequestContextID,
       aRequestContextID,
-      aContentType
+      aContentType,
+      aOnionUrlbarRewritesAllowed
     ) {
       if (this.isRemoteBrowser && this.messageManager) {
         if (aCharset != null) {
@@ -1134,6 +1143,7 @@
         this._contentRequestContextID = aHaveRequestContextID
           ? aRequestContextID
           : null;
+        this._onionUrlbarRewritesAllowed = aOnionUrlbarRewritesAllowed;
       }
     }
 
@@ -1535,6 +1545,7 @@
             "_contentPrincipal",
             "_contentPartitionedPrincipal",
             "_isSyntheticDocument",
+            "_onionUrlbarRewritesAllowed",
           ]
         );
       }
diff --git a/toolkit/modules/sessionstore/SessionHistory.jsm b/toolkit/modules/sessionstore/SessionHistory.jsm
index f02930aa6e22d..e78ec8ddf6b74 100644
--- a/toolkit/modules/sessionstore/SessionHistory.jsm
+++ b/toolkit/modules/sessionstore/SessionHistory.jsm
@@ -310,6 +310,7 @@ var SessionHistoryInternal = {
     }
 
     entry.persist = shEntry.persist;
+    entry.onionUrlbarRewritesAllowed = shEntry.onionUrlbarRewritesAllowed;
 
     return entry;
   },
@@ -604,6 +605,10 @@ var SessionHistoryInternal = {
       }
     }
 
+    if (entry.onionUrlbarRewritesAllowed) {
+      shEntry.onionUrlbarRewritesAllowed = entry.onionUrlbarRewritesAllowed;
+    }
+
     return shEntry;
   },
 
diff --git a/xpcom/reflect/xptinfo/xptinfo.h b/xpcom/reflect/xptinfo/xptinfo.h
index efee881c14217..4295efb39f1fc 100644
--- a/xpcom/reflect/xptinfo/xptinfo.h
+++ b/xpcom/reflect/xptinfo/xptinfo.h
@@ -514,7 +514,8 @@ static_assert(sizeof(nsXPTMethodInfo) == 8, "wrong size");
 #if defined(MOZ_THUNDERBIRD) || defined(MOZ_SUITE)
 #  define PARAM_BUFFER_COUNT 18
 #else
-#  define PARAM_BUFFER_COUNT 14
+// The max is currently updateForLocationChange in nsIBrowser.idl
+#  define PARAM_BUFFER_COUNT 15
 #endif
 
 /**

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tbb-commits mailing list