[tbb-commits] [Git][tpo/applications/tor-browser][tor-browser-128.2.0esr-14.0-1] fixup! Bug 23247: Communicating security expectations for .onion

Pier Angelo Vendrame (@pierov) git at gitlab.torproject.org
Thu Aug 29 08:24:40 UTC 2024 


Pier Angelo Vendrame pushed to branch tor-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser


Commits:
df421101 by Pier Angelo Vendrame at 2024-08-29T10:15:34+02:00
fixup! Bug 23247: Communicating security expectations for .onion

Bug 42743: Check for .onion in the actual document URI in pageInfo.

One of our patches checks whether we are in a .onion domain when
showing the security information in pageInfo.xhtml.
However, it checks it in the requested URI rather than doing it on the
actually loaded URI, therefore about:neterror is shown as a secure
Onion service, which is not consistent with failures in loading
clearnet domains with HTTPS.

- - - - -


1 changed file:

- browser/base/content/pageinfo/security.js


Changes:

=====================================
browser/base/content/pageinfo/security.js
=====================================
@@ -53,16 +53,15 @@ var security = {
       (Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT |
         Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT);
     var isEV = ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
-    var isOnion = false;
-    let hostName;
-    try {
-      hostName = Services.eTLD.getBaseDomain(this.uri);
-    } catch (e) {
-      hostName = this.windowInfo.hostName;
-    }
-    if (hostName && hostName.endsWith(".onion")) {
-      isOnion = true;
+    let uriInformation = new URL(gDocInfo.documentURIObject.spec);
+    // If the Onion site could not be loaded, the view-source will be also be
+    // about:neterror.
+    if (uriInformation.protocol == "view-source:") {
+      uriInformation = new URL(uriInformation.pathname);
     }
+    const isOnion =
+      ["http:", "https:"].includes(uriInformation.protocol) &&
+      uriInformation.hostname.endsWith(".onion");
 
     let retval = {
       cAName: "",



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/df421101a73500ef998c88822f32b3917e065c25

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/df421101a73500ef998c88822f32b3917e065c25
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20240829/dc34a58d/attachment-0001.htm>

More information about the tbb-commits mailing list