[tor-bugs] #30237 [Applications/Tor Browser]: Tor Browser: Improve TBB UI of hidden service client authorization

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 20 16:11:06 UTC 2019 

#30237: Tor Browser: Improve TBB UI of hidden service client authorization
--------------------------------------+-----------------------------------
 Reporter:  asn                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201905      |  Actual Points:
Parent ID:  #30000                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor27-must
--------------------------------------+-----------------------------------
Changes (by mcs):

 * status:  new => needs_information


Comment:

 The mockups from comment:2 show a prompt that is contained entirely within
 the content area. How concerned should we be about the "line of death"
 issue (https://textslashplain.com/2017/01/14/the-line-of-death/)? It seems
 like a bad idea to implement a prompt that any site could easily spoof,
 but there are tradeoffs to consider.

 This question came up as Kathy and I looked at various options within the
 Firefox codebase for implementing the client auth prompt. We might be able
 to use a doorhanger that includes an arrow that overlaps the chrome area
 (thus avoiding the "line of death" problem). But doorhangers within
 Firefox are designed for optional interactions and entering a key for
 client auth is not optional.

 We could use the prompt service (which is what HTTP basic auth uses), but
 the prompts that are available to us are not very flexible. It might be a
 lot of work to achieve the look we want; for example, I am not sure how to
 implement the inline validation requirement.  A final option is to just
 implement an xhtml page (similar to what Firefox uses for network error
 pages) where the entire prompt is contained within the content area. That
 would give us the most flexibility, but of course "line of death" is an
 issue.

 Antonela and others: what do you think?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30237#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list