[tor-commits] [tor-browser/tor-browser-60.3.0esr-8.5-1] Bug 26690: Port padlock states for .onion services to mobile

gk at torproject.org gk at torproject.org
Thu Nov 29 12:39:43 UTC 2018


commit e5659b39d8bc51faecac5daa7f2cb9b63d4dccf8
Author: Igor Oliveira <igt0 at torproject.org>
Date:   Mon Oct 29 12:30:14 2018 -0200

    Bug 26690: Port padlock states for .onion services to mobile
    
    Prior to this patch, TBA was showing onion services as insecure
    connection and SSL/TLS ones as encrypted connections(lock icon).
    
    This patch fixes the issue adding several new onion icons to indicate
    all the various permutations of onions services hosted HTTP or HTTPS
    pages.
---
 .../src/main/res/drawable/site_security_icon.xml   |  10 +++++++++-
 .../app/src/photon/res/drawable-hdpi/ic_onion.png  | Bin 0 -> 807 bytes
 .../photon/res/drawable-hdpi/ic_onion_disabled.png | Bin 0 -> 975 bytes
 .../src/photon/res/drawable-hdpi/ic_onion_lock.png | Bin 0 -> 932 bytes
 .../app/src/photon/res/drawable-xhdpi/ic_onion.png | Bin 0 -> 1015 bytes
 .../res/drawable-xhdpi/ic_onion_disabled.png       | Bin 0 -> 1260 bytes
 .../photon/res/drawable-xhdpi/ic_onion_lock.png    | Bin 0 -> 1275 bytes
 .../src/photon/res/drawable-xxhdpi/ic_onion.png    | Bin 0 -> 1592 bytes
 .../res/drawable-xxhdpi/ic_onion_disabled.png      | Bin 0 -> 1892 bytes
 .../photon/res/drawable-xxhdpi/ic_onion_lock.png   | Bin 0 -> 1899 bytes
 .../src/photon/res/drawable-xxxhdpi/ic_onion.png   | Bin 0 -> 2099 bytes
 .../res/drawable-xxxhdpi/ic_onion_disabled.png     | Bin 0 -> 2526 bytes
 .../photon/res/drawable-xxxhdpi/ic_onion_lock.png  | Bin 0 -> 2568 bytes
 .../photon/res/drawable/security_mode_icon_nm.xml  |   9 +++++++++
 .../photon/res/drawable/security_mode_icon_pm.xml  |   9 +++++++++
 .../base/java/org/mozilla/gecko/SiteIdentity.java  |  14 ++++++++++++++
 .../mozilla/gecko/toolbar/SecurityModeUtil.java    |  21 ++++++++++++++++-----
 .../mozilla/gecko/toolbar/SiteIdentityPopup.java   |  17 +++++++++++------
 mobile/android/chrome/content/browser.js           |  14 +++++++++++++-
 19 files changed, 81 insertions(+), 13 deletions(-)

diff --git a/mobile/android/app/src/main/res/drawable/site_security_icon.xml b/mobile/android/app/src/main/res/drawable/site_security_icon.xml
index ac8624f861ad..f5f4c7775110 100644
--- a/mobile/android/app/src/main/res/drawable/site_security_icon.xml
+++ b/mobile/android/app/src/main/res/drawable/site_security_icon.xml
@@ -28,5 +28,13 @@
     <item
         android:drawable="@drawable/ic_search_icon"
         android:maxLevel="6" />
-
+    <item
+        android:drawable="@drawable/ic_onion"
+        android:maxLevel="7"/>
+    <item
+        android:drawable="@drawable/ic_onion_lock"
+        android:maxLevel="8"/>
+    <item
+        android:drawable="@drawable/ic_onion_disabled"
+        android:maxLevel="9"/>
 </level-list>
diff --git a/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion.png b/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion.png
new file mode 100644
index 000000000000..1a61d982752b
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion_disabled.png b/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion_disabled.png
new file mode 100644
index 000000000000..9669d12101fb
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion_disabled.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion_lock.png b/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion_lock.png
new file mode 100644
index 000000000000..b0f60fea5b28
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-hdpi/ic_onion_lock.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion.png b/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion.png
new file mode 100755
index 000000000000..074330c3a25a
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion_disabled.png b/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion_disabled.png
new file mode 100755
index 000000000000..09db37998d33
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion_disabled.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion_lock.png b/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion_lock.png
new file mode 100755
index 000000000000..13799b7fa8f7
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xhdpi/ic_onion_lock.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion.png b/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion.png
new file mode 100755
index 000000000000..711bb3c8d8fa
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion_disabled.png b/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion_disabled.png
new file mode 100755
index 000000000000..0d931669abf3
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion_disabled.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion_lock.png b/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion_lock.png
new file mode 100755
index 000000000000..f7a5c29b4c17
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xxhdpi/ic_onion_lock.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion.png b/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion.png
new file mode 100755
index 000000000000..97a0beabbe0c
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion_disabled.png b/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion_disabled.png
new file mode 100755
index 000000000000..aec29bf6238b
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion_disabled.png differ
diff --git a/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion_lock.png b/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion_lock.png
new file mode 100755
index 000000000000..71df527b2a6a
Binary files /dev/null and b/mobile/android/app/src/photon/res/drawable-xxxhdpi/ic_onion_lock.png differ
diff --git a/mobile/android/app/src/photon/res/drawable/security_mode_icon_nm.xml b/mobile/android/app/src/photon/res/drawable/security_mode_icon_nm.xml
index 0b6b496b0b34..bb0da0b843d2 100644
--- a/mobile/android/app/src/photon/res/drawable/security_mode_icon_nm.xml
+++ b/mobile/android/app/src/photon/res/drawable/security_mode_icon_nm.xml
@@ -28,5 +28,14 @@
     <item
         android:drawable="@drawable/ic_search_icon"
         android:maxLevel="6" />
+    <item
+        android:drawable="@drawable/ic_onion"
+        android:maxLevel="7"/>
+    <item
+        android:drawable="@drawable/ic_onion_lock"
+        android:maxLevel="8"/>
+    <item
+        android:drawable="@drawable/ic_onion_disabled"
+        android:maxLevel="9"/>
 
 </level-list>
diff --git a/mobile/android/app/src/photon/res/drawable/security_mode_icon_pm.xml b/mobile/android/app/src/photon/res/drawable/security_mode_icon_pm.xml
index edbd269040d1..be47d7fe081f 100644
--- a/mobile/android/app/src/photon/res/drawable/security_mode_icon_pm.xml
+++ b/mobile/android/app/src/photon/res/drawable/security_mode_icon_pm.xml
@@ -28,5 +28,14 @@
     <item
         android:drawable="@drawable/ic_search_icon"
         android:maxLevel="6" />
+    <item
+        android:drawable="@drawable/ic_onion"
+        android:maxLevel="7"/>
+    <item
+        android:drawable="@drawable/ic_onion_lock"
+        android:maxLevel="8"/>
+    <item
+        android:drawable="@drawable/ic_onion_disabled"
+        android:maxLevel="9"/>
 
 </level-list>
diff --git a/mobile/android/base/java/org/mozilla/gecko/SiteIdentity.java b/mobile/android/base/java/org/mozilla/gecko/SiteIdentity.java
index 1a046657329d..f5dcb5747386 100644
--- a/mobile/android/base/java/org/mozilla/gecko/SiteIdentity.java
+++ b/mobile/android/base/java/org/mozilla/gecko/SiteIdentity.java
@@ -25,6 +25,8 @@ public class SiteIdentity {
     private String mCountry;
     private String mVerifier;
     private String mOrigin;
+    private boolean mIsOnionHost;
+    private boolean mHasCert;
 
     public enum SecurityMode {
         UNKNOWN,
@@ -59,6 +61,8 @@ public class SiteIdentity {
         mCountry = null;
         mVerifier = null;
         mSecure = false;
+        mIsOnionHost = false;
+        mHasCert = false;
     }
 
     public void reset() {
@@ -110,6 +114,8 @@ public class SiteIdentity {
         mVerifier = identityData.getString("verifier");
         mSecure = identityData.getBoolean("secure");
         mSecurityException = identityData.getBoolean("securityException");
+        mIsOnionHost = identityData.getBoolean("isOnionHost");
+        mHasCert = identityData.getBoolean("hasCert");
     }
 
     public SecurityMode getSecurityMode() {
@@ -152,6 +158,14 @@ public class SiteIdentity {
         return mSecure;
     }
 
+    public boolean isOnionHost() {
+        return mIsOnionHost;
+    }
+
+    public boolean hasCert() {
+        return mHasCert;
+    }
+
     public MixedMode getMixedModeActive() {
         return mMixedModeActive;
     }
diff --git a/mobile/android/base/java/org/mozilla/gecko/toolbar/SecurityModeUtil.java b/mobile/android/base/java/org/mozilla/gecko/toolbar/SecurityModeUtil.java
index ceb33b8e3acb..10bc83c279a1 100644
--- a/mobile/android/base/java/org/mozilla/gecko/toolbar/SecurityModeUtil.java
+++ b/mobile/android/base/java/org/mozilla/gecko/toolbar/SecurityModeUtil.java
@@ -35,6 +35,9 @@ public class SecurityModeUtil {
         LOCK_SECURE(1),
         LOCK_WARNING(-1), // not used for now. reserve for MixedDisplayContent icon, if any.
         LOCK_INSECURE(3),
+        ONION(7),
+        ONION_ACTIVATE(8),
+        ONION_DISABLED(9),
         WARNING(2),
         TRACKING_CONTENT_BLOCKED(4),
         TRACKING_CONTENT_LOADED(5);
@@ -100,6 +103,8 @@ public class SecurityModeUtil {
         final MixedMode displayMixedMode = identity.getMixedModeDisplay();
         final TrackingMode trackingMode = identity.getTrackingMode();
         final boolean securityException = identity.isSecurityException();
+        final boolean isOnionHost = identity.isOnionHost();
+        final boolean hasCert = identity.hasCert();
 
         if (securityException) {
             return IconType.WARNING;
@@ -108,9 +113,9 @@ public class SecurityModeUtil {
         } else if (trackingMode == TrackingMode.TRACKING_CONTENT_BLOCKED) {
             return IconType.TRACKING_CONTENT_BLOCKED;
         } else if (activeMixedMode == MixedMode.LOADED) {
-            return IconType.LOCK_INSECURE;
+            return isOnionHost ? IconType.ONION_DISABLED : IconType.LOCK_INSECURE;
         } else if (displayMixedMode == MixedMode.LOADED) {
-            return IconType.WARNING;
+            return isOnionHost ? IconType.ONION_DISABLED : IconType.WARNING;
         }
 
         // Chrome-UI checking is after tracking/mixed-content, even for about: pages, as they
@@ -119,9 +124,15 @@ public class SecurityModeUtil {
             return IconType.DEFAULT;
         }
 
-        return securityModeMap.containsKey(securityMode)
-                ? securityModeMap.get(securityMode)
-                : IconType.UNKNOWN;
+        if (securityMode == SecurityMode.UNKNOWN) {
+            return isOnionHost ? IconType.ONION : IconType.UNKNOWN;
+        } else if (securityMode == SecurityMode.IDENTIFIED) {
+            return isOnionHost ? (hasCert ? IconType.ONION_ACTIVATE : IconType.ONION) : IconType.LOCK_SECURE;
+        } else if (securityMode == SecurityMode.VERIFIED) {
+            return isOnionHost ? IconType.ONION_ACTIVATE : IconType.LOCK_SECURE;
+        } else {
+            return IconType.UNKNOWN;
+        }
     }
 
     /**
diff --git a/mobile/android/base/java/org/mozilla/gecko/toolbar/SiteIdentityPopup.java b/mobile/android/base/java/org/mozilla/gecko/toolbar/SiteIdentityPopup.java
index 831f69f2bf09..df67f0a9b9ed 100644
--- a/mobile/android/base/java/org/mozilla/gecko/toolbar/SiteIdentityPopup.java
+++ b/mobile/android/base/java/org/mozilla/gecko/toolbar/SiteIdentityPopup.java
@@ -144,8 +144,9 @@ public class SiteIdentityPopup extends AnchoredPopup implements BundleEventListe
             init();
         }
 
-        final boolean isIdentityKnown = (siteIdentity.getSecurityMode() == SecurityMode.IDENTIFIED ||
-                                         siteIdentity.getSecurityMode() == SecurityMode.VERIFIED);
+        final boolean isIdentityKnown = ((siteIdentity.getSecurityMode() == SecurityMode.IDENTIFIED ||
+                                         siteIdentity.getSecurityMode() == SecurityMode.VERIFIED) &&
+                                         siteIdentity.hasCert());
         updateConnectionState(siteIdentity);
         toggleIdentityKnownContainerVisibility(isIdentityKnown);
 
@@ -322,7 +323,8 @@ public class SiteIdentityPopup extends AnchoredPopup implements BundleEventListe
         } else if (!siteIdentity.isSecure()) {
             if (siteIdentity.getMixedModeActive() == MixedMode.LOADED) {
                 // Active Mixed Content loaded because user has disabled blocking.
-                mIcon.setImageResource(R.drawable.ic_lock_disabled);
+                int resId = siteIdentity.isOnionHost() ? R.drawable.ic_onion_disabled : R.drawable.ic_lock_disabled;
+                mIcon.setImageResource(resId);
                 clearSecurityStateIcon();
                 mMixedContentActivity.setVisibility(View.VISIBLE);
                 mMixedContentActivity.setText(R.string.mixed_content_protection_disabled);
@@ -330,7 +332,8 @@ public class SiteIdentityPopup extends AnchoredPopup implements BundleEventListe
                 mLink.setVisibility(View.VISIBLE);
             } else if (siteIdentity.getMixedModeDisplay() == MixedMode.LOADED) {
                 // Passive Mixed Content loaded.
-                mIcon.setImageResource(R.drawable.ic_lock_inactive);
+                int resId = siteIdentity.isOnionHost() ? R.drawable.ic_onion_disabled : R.drawable.ic_lock_inactive;
+                mIcon.setImageResource(resId);
                 setSecurityStateIcon(R.drawable.ic_warning_major, 1);
                 mMixedContentActivity.setVisibility(View.VISIBLE);
                 if (siteIdentity.getMixedModeActive() == MixedMode.BLOCKED) {
@@ -342,7 +345,8 @@ public class SiteIdentityPopup extends AnchoredPopup implements BundleEventListe
 
             } else {
                 // Unencrypted connection with no mixed content.
-                mIcon.setImageResource(R.drawable.globe_light);
+                int resId = siteIdentity.isOnionHost() ? R.drawable.ic_onion : R.drawable.globe_light;
+                mIcon.setImageResource(resId);
                 clearSecurityStateIcon();
 
                 mMixedContentActivity.setVisibility(View.GONE);
@@ -361,7 +365,8 @@ public class SiteIdentityPopup extends AnchoredPopup implements BundleEventListe
 
         } else {
             // Connection is secure.
-            mIcon.setImageResource(R.drawable.ic_lock);
+            int resId = siteIdentity.isOnionHost() ? (siteIdentity.hasCert() ? R.drawable.ic_onion_lock : R.drawable.ic_onion) : R.drawable.ic_lock;
+            mIcon.setImageResource(resId);
 
             setSecurityStateIcon(R.drawable.img_check, 2);
             mSecurityState.setTextColor(ContextCompat.getColor(mContext, R.color.affirmative_green));
diff --git a/mobile/android/chrome/content/browser.js b/mobile/android/chrome/content/browser.js
index 51fe1422acc5..3e074009fad9 100644
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -5558,6 +5558,12 @@ var IdentityHandler = {
   */
   getIdentityData : function() {
     let result = {};
+
+    // Even if the connection is secure, it may not have a certificate
+    if (!this._lastStatus) {
+      return result;
+    }
+
     let status = this._lastStatus.QueryInterface(Ci.nsISSLStatus);
     let cert = status.serverCert;
 
@@ -5585,6 +5591,10 @@ var IdentityHandler = {
     return result;
   },
 
+  isOnionHost: function isOnionHost() {
+    return this._uri.host.toLowerCase().endsWith(".onion");
+  },
+
   /**
    * Determines the identity mode corresponding to the icon we show in the urlbar.
    */
@@ -5704,6 +5714,8 @@ var IdentityHandler = {
     };
 
     result.host = this.getEffectiveHost();
+    result.isOnionHost = this.isOnionHost();
+    result.hasCert = !!this._lastStatus;
 
     // Don't show identity data for pages with an unknown identity or if any
     // mixed content is loaded (mixed display content is loaded by default).
@@ -5757,7 +5769,7 @@ var IdentityHandler = {
     // hasMatchingOverride does not handle that, so avoid calling it.
     // Updating the tooltip value in those cases isn't critical.
     // FIXME: Fixing bug 646690 would probably makes this check unnecessary
-    if (this._lastLocation.hostname &&
+    if (this._lastLocation.hostname && iData.cert &&
         this._overrideService.hasMatchingOverride(this._lastLocation.hostname,
                                                   (this._lastLocation.port || 443),
                                                   iData.cert, {}, {})) {



More information about the tor-commits mailing list