[tor-bugs] #32645 [Applications/Tor Browser]: Update URL bar onion indicators
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 12 23:54:32 UTC 2020
#32645: Update URL bar onion indicators
--------------------------------------------+------------------------------
Reporter: antonela | Owner: pospeselr
Type: defect | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ux-team, TorBrowserTeam202002R | Actual Points:
Parent ID: #30025 | Points:
Reviewer: | Sponsor:
| Sponsor27-must
--------------------------------------------+------------------------------
Changes (by pospeselr):
* status: assigned => needs_review
Comment:
Ok, once again implemented as a fixup commit on
7d3475febd37ae2b35432105f5e4c0da30852bc6. We needed to add the Onion+Slash
icon for Onion firstparty and HTTP active content (javascript). I also
simplified things a bit as there is no reason to have special logic or css
rules for self-signed onion sites.
-----
This patch alone is not sufficient for all scenarios.
We need to rework when the user-override screen comes up, as currently
self-signed HTTPS onionsites and HTTPS onionsites with unknown certificate
authorities will pop a warning page that the user has to manually click
through (basically the behaviour on the clearnet for these pages: https
://self-signed.badssl.com/ and https://untrusted-root.badssl.com/ ). I'm
intending to fix this problem in a separate patch for #13410.
HTTP Onion sites with clearnet HTTP forms do not currently trigger a popup
warning on form submission (see clearnet version here: https://mixed-
form.badssl.com/ ). It seems firefox only does this on HTTPS pages so we
need to make it so it does this on HTTP onionsites as well. I'll file a
new bug for this issue and parent it to #30005.
I'm currently testing this patch with the following onionsite scenarios
and all is working as expected apart from the previously mentioned issues:
- HTTP Onion
- HTTPS Onion Self-Signed
- HTTPS Onion Unknown CA
- HTTPS Onion EV
- HTTPS Onion Wrong Domain
- HTTP(S) Onion + HTTP Script
- HTTP(S) Onion + HTTP Content
- HTTP(S) Onion + HTTPS Content
- HTTP(S) Onion + HTTP Form
If you can think of any weird scenarios I nee to think about do let me
know!
tor-browser: https://gitweb.torproject.org/user/richard/tor-
browser.git/commit/?h=bug_32645_v2
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32645#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list