[tbb-commits] [Git][tpo/applications/tor-browser][tor-browser-115.5.0esr-13.0-1] fixup! Bug 23247: Communicating security expectations for .onion
ma1 (@ma1)
git at gitlab.torproject.org
Mon Dec 4 12:07:16 UTC 2023
ma1 pushed to branch tor-browser-115.5.0esr-13.0-1 at The Tor Project / Applications / Tor Browser
Commits:
91e057ca by cypherpunks1 at 2023-12-04T13:06:55+01:00
fixup! Bug 23247: Communicating security expectations for .onion
Bug 42231: Improve the network monitor patch for http onion resources
- - - - -
2 changed files:
- devtools/client/netmonitor/src/components/SecurityState.js
- devtools/shared/network-observer/NetworkHelper.sys.mjs
Changes:
=====================================
devtools/client/netmonitor/src/components/SecurityState.js
=====================================
@@ -41,7 +41,7 @@ class SecurityState extends Component {
const {
securityState,
- urlDetails: { isLocal },
+ urlDetails: { host, isLocal },
} = item;
const iconClassList = ["requests-security-state-icon"];
@@ -50,7 +50,11 @@ class SecurityState extends Component {
// Locally delivered files such as http://localhost and file:// paths
// are considered to have been delivered securely.
- if (isLocal) {
+ if (
+ isLocal ||
+ (host?.endsWith(".onion") &&
+ Services.prefs.getBoolPref("dom.securecontext.allowlist_onions", false))
+ ) {
realSecurityState = "secure";
}
=====================================
devtools/shared/network-observer/NetworkHelper.sys.mjs
=====================================
@@ -596,9 +596,6 @@ export var NetworkHelper = {
// The request did not contain any security info.
if (!securityInfo) {
- if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
- info.state = "secure";
- }
return info;
}
@@ -650,11 +647,7 @@ export var NetworkHelper = {
// schemes other than https and wss are subject to
// downgrade/etc at the scheme level and should always be
// considered insecure
- if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
- info.state = "secure";
- } else {
- info.state = "insecure";
- }
+ info.state = "insecure";
} else if (state & wpl.STATE_IS_SECURE) {
// The connection is secure if the scheme is sufficient
info.state = "secure";
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/91e057ca292b1231023c37c2baf5f23f3729d5ea
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/91e057ca292b1231023c37c2baf5f23f3729d5ea
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20231204/020c74cf/attachment-0001.htm>
More information about the tbb-commits
mailing list