[tbb-commits] [Git][tpo/applications/tor-browser][tor-browser-115.4.0esr-13.5-1] fixup! Bug 23247: Communicating security expectations for .onion

ma1 (@ma1) git at gitlab.torproject.org
Mon Nov 6 21:23:16 UTC 2023



ma1 pushed to branch tor-browser-115.4.0esr-13.5-1 at The Tor Project / Applications / Tor Browser


Commits:
8627f8e1 by cypherpunks1 at 2023-11-06T21:22:17+00:00
fixup! Bug 23247: Communicating security expectations for .onion

Bug 42231: Improve the network monitor patch for http onion resources

- - - - -


2 changed files:

- devtools/client/netmonitor/src/components/SecurityState.js
- devtools/shared/network-observer/NetworkHelper.sys.mjs


Changes:

=====================================
devtools/client/netmonitor/src/components/SecurityState.js
=====================================
@@ -41,7 +41,7 @@ class SecurityState extends Component {
 
     const {
       securityState,
-      urlDetails: { isLocal },
+      urlDetails: { host, isLocal },
     } = item;
     const iconClassList = ["requests-security-state-icon"];
 
@@ -50,7 +50,11 @@ class SecurityState extends Component {
 
     // Locally delivered files such as http://localhost and file:// paths
     // are considered to have been delivered securely.
-    if (isLocal) {
+    if (
+      isLocal ||
+      (host?.endsWith(".onion") &&
+        Services.prefs.getBoolPref("dom.securecontext.allowlist_onions", false))
+    ) {
       realSecurityState = "secure";
     }
 


=====================================
devtools/shared/network-observer/NetworkHelper.sys.mjs
=====================================
@@ -596,9 +596,6 @@ export var NetworkHelper = {
 
     // The request did not contain any security info.
     if (!securityInfo) {
-      if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
-        info.state = "secure";
-      }
       return info;
     }
 
@@ -650,11 +647,7 @@ export var NetworkHelper = {
         // schemes other than https and wss are subject to
         // downgrade/etc at the scheme level and should always be
         // considered insecure
-        if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
-          info.state = "secure";
-        } else {
-          info.state = "insecure";
-        }
+        info.state = "insecure";
       } else if (state & wpl.STATE_IS_SECURE) {
         // The connection is secure if the scheme is sufficient
         info.state = "secure";



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/8627f8e1f78a8fc2ce2ba12b3b5314c020f7ca8f

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/8627f8e1f78a8fc2ce2ba12b3b5314c020f7ca8f
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20231106/6f4cc3c0/attachment-0001.htm>


More information about the tbb-commits mailing list