[tor-commits] [tor-browser/tor-browser-52.2.0esr-7.5-1] Bug 21321: .onion domains are shown as non-secure

gk at torproject.org gk at torproject.org
Thu Aug 3 09:12:06 UTC 2017


commit df2223e1b1f8a4b782e7e49bbbeb79296ea74dff
Author: Georg Koppen <gk at torproject.org>
Date:   Thu Aug 3 09:07:37 2017 +0000

    Bug 21321: .onion domains are shown as non-secure
    
    Websites which collect passwords but don't use HTTPS start showing scary
    warnings from Firefox 51 onwards (see:
    blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
    for details).
    
    .onion sites without HTTPS support are affected as well, although their
    traffic is encrypted and authenticated. This patch addresses this
    shortcoming by making sure .onion sites are treated as potentially
    trustworthy origins.
    
    The secure context specification
    (https://w3c.github.io/webappsec-secure-contexts/) is pretty much focused
    on tying security and trustworthiness to the protocol over which domains
    are accessed. However, it is not obvious why .onion sites should not be
    treated as potentially trustworthy given:
    
    "A potentially trustworthy origin is one which a user agent can
    generally trust as delivering data securely.
    
    This algorithms [sic] considers certain hosts, scheme, and origins as
    potentially trustworthy, even though they might not be authenticated and
    encrypted in the traditional sense."
    (https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy)
    
    We use step 8 in the algorithm to establish trustworthiness of .onion
    sites by whitelisting them given the encrypted and authenticated nature
    of their traffic.
---
 browser/app/profile/000-tor-browser.js    | 3 +++
 dom/security/nsContentSecurityManager.cpp | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js
index 3edaad88f59e..5d209ccfdbe1 100644
--- a/browser/app/profile/000-tor-browser.js
+++ b/browser/app/profile/000-tor-browser.js
@@ -357,6 +357,9 @@ pref("security.ssl.errorReporting.enabled", false);
 // in case the download panel got removed from the toolbar.
 pref("browser.download.panel.shown", true);
 
+// Treat .onions as secure
+pref("dom.securecontext.whitelist_onions", true);
+
 #ifdef TOR_BROWSER_VERSION
 #expand pref("torbrowser.version", __TOR_BROWSER_VERSION__);
 #endif
diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp
index c4e1ed8e18a9..c95226b56e91 100644
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -689,6 +689,14 @@ nsContentSecurityManager::IsOriginPotentiallyTrustworthy(nsIPrincipal* aPrincipa
         }
       }
     }
+    // Maybe we have a .onion URL. Treat it as whitelisted as well when
+    // `dom.securecontext.whitelist_onions` is `true`.
+    bool whitelistOnions =
+      Preferences::GetBool("dom.securecontext.whitelist_onions", false);
+    if (whitelistOnions && StringEndsWith(host, NS_LITERAL_CSTRING(".onion"))) {
+      *aIsTrustWorthy = true;
+      return NS_OK;
+    }
   }
 
   return NS_OK;





More information about the tor-commits mailing list