[tor-bugs] #33726 [Applications/Tor Browser]: Fix patch for #23247: Communicating security expectations for .onion
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 25 17:24:00 UTC 2020
#33726: Fix patch for #23247: Communicating security expectations for .onion
------------------------------------------+--------------------------------
Reporter: acat | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
| TorBrowserTeam202003
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+--------------------------------
While working on #33533 I realized that in the switch to ESR68 (#30429)
the patch for #23247 was ported incorrectly. The original patch for ESR60
was `651e4ef7de3e` and the mistake was introduced in revision
https://github.com/acatarineu/tor-browser/commits/30429+6 (see comment in
https://trac.torproject.org/projects/tor/ticket/30429#comment:26).
My understanding is that in the original patch, the block of `if
(isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) {`
was moved from https://github.com/acatarineu/tor-
browser/commit/651e4ef7de3e#diff-b6c711bd6646bb39271394da3fc55d0cL754 to
https://github.com/acatarineu/tor-browser/commit/651e4ef7de3e#diff-
b6c711bd6646bb39271394da3fc55d0cR737 in order to allow mixed contents in
workers for the .onion case (which would get disallowed otherwise).
However, in ESR68 there's `IsPotentiallyTrustworthyOrigin` with includes
`IsPotentiallyTrustworthyOnion`. So, I think this block:
https://github.com/acatarineu/tor-
browser/commit/6301359f2742d070b1b4149d13c388e96b1b8080#diff-
b6c711bd6646bb39271394da3fc55d0cL778 should not be removed, since it's not
the same as the one that is added in https://github.com/acatarineu/tor-
browser/commit/6301359f2742d070b1b4149d13c388e96b1b8080#diff-
b6c711bd6646bb39271394da3fc55d0cR771.
I think this is not a security issue, the result of this bug is that we
are not allowing cases that we should (all cases of
`IsPotentiallyTrustworthyOrigin` that are not `.onion`).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33726>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list