[tor-bugs] #21323 [Applications/Tor Browser]: Activate mixed content blocking

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 29 09:22:34 UTC 2017 

#21323: Activate mixed content blocking
-------------------------------------------------+-------------------------
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:  TorBrowserTeam201705R,               |  Actual Points:
  GeorgKoppen201705                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_information => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:20 gk]:
 > Replying to [comment:18 legind]:
 > > This is another issue entirely, partially mitigated by `upgrade-
 insecure-requests`, see https://developer.mozilla.org/en-
 US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-
 requests.
 >
 > No, it is not. See:
 https://bugzilla.mozilla.org/show_bug.cgi?id=878890#c3. If the content
 policy (which Mixed Content Blocking (MCB) relies on) would have been
 called after all the redirects would have taken place we would not have
 this discussion now. :) But as I said above, while Mozilla did not fix the
 underlying problem they solved it differently for the MCB case.

 Actually, I have not checked whether it can still be the case that
 resources loaded over HTTP that would have been rewritten by an HTTPS-
 Everywhere rule (but are not due to MCB) would still be blocked by MCB
 before that could happen. If so, then the bug is still open for a good
 reason (and our #13033) as well. What I just meant was that redirects are
 taken into account now, so that the HTTPS -> HTTP downgrade issue is not a
 problem anymore.

 > Alright, after going over all the arguments I think it is okay for us to
 activate mixed content blocking. I won't do that by setting the pref to
 `true` as Arthur did but just by removing that entry in our `000-tor-
 browser.js`, which means we are using the default Firefox provides (which
 is enabling the mixed content blocker) from now on.

 This is done with commit c1a5e1abf6ee05b0b1d3b1462b3c9e1c180b153e and
 29b34b444229fd09fcf7741a206230385e843fde on `tor-browser-52.1.0esr-7.0-2`
 and `tor-browser-52.1.1esr-7.0-1`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21323#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list