[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-115.5.0esr-13.0-1] fixup! Bug 23247: Communicating security expectations for .onion

ma1 (@ma1) git at gitlab.torproject.org
Mon Dec 4 12:07:16 UTC 2023



ma1 pushed to branch tor-browser-115.5.0esr-13.0-1 at The Tor Project / Applications / Tor Browser


Commits:
91e057ca by cypherpunks1 at 2023-12-04T13:06:55+01:00
fixup! Bug 23247: Communicating security expectations for .onion

Bug 42231: Improve the network monitor patch for http onion resources

- - - - -


2 changed files:

- devtools/client/netmonitor/src/components/SecurityState.js
- devtools/shared/network-observer/NetworkHelper.sys.mjs


Changes:

=====================================
devtools/client/netmonitor/src/components/SecurityState.js
=====================================
@@ -41,7 +41,7 @@ class SecurityState extends Component {
 
     const {
       securityState,
-      urlDetails: { isLocal },
+      urlDetails: { host, isLocal },
     } = item;
     const iconClassList = ["requests-security-state-icon"];
 
@@ -50,7 +50,11 @@ class SecurityState extends Component {
 
     // Locally delivered files such as http://localhost and file:// paths
     // are considered to have been delivered securely.
-    if (isLocal) {
+    if (
+      isLocal ||
+      (host?.endsWith(".onion") &&
+        Services.prefs.getBoolPref("dom.securecontext.allowlist_onions", false))
+    ) {
       realSecurityState = "secure";
     }
 


=====================================
devtools/shared/network-observer/NetworkHelper.sys.mjs
=====================================
@@ -596,9 +596,6 @@ export var NetworkHelper = {
 
     // The request did not contain any security info.
     if (!securityInfo) {
-      if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
-        info.state = "secure";
-      }
       return info;
     }
 
@@ -650,11 +647,7 @@ export var NetworkHelper = {
         // schemes other than https and wss are subject to
         // downgrade/etc at the scheme level and should always be
         // considered insecure
-        if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
-          info.state = "secure";
-        } else {
-          info.state = "insecure";
-        }
+        info.state = "insecure";
       } else if (state & wpl.STATE_IS_SECURE) {
         // The connection is secure if the scheme is sufficient
         info.state = "secure";



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/91e057ca292b1231023c37c2baf5f23f3729d5ea

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/91e057ca292b1231023c37c2baf5f23f3729d5ea
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20231204/0dc27952/attachment-0001.htm>


More information about the tor-commits mailing list