June 2018 - tor-commits - lists.torproject.org

[translation/tor-browser-manual] Update translations for tor-browser-manual
by translation＠torproject.org 19 Jun '18

19 Jun '18

commit f30d14dbcf44fe31d27ca8e9a3834d4f43831a78 Author: Translation commit bot <translation(a)torproject.org> Date: Tue Jun 19 11:48:42 2018 +0000 Update translations for tor-browser-manual --- ar/ar.po | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/ar/ar.po b/ar/ar.po index 4345aeed8..8235d6866 100644 --- a/ar/ar.po +++ b/ar/ar.po @@ -831,12 +831,16 @@ msgid "" "When you log in to a website over Tor, there are several points you should " "bear in mind:" msgstr "" +"عند الولوج إلى موقع عبر متصفح تور، فهناك بعض النقاط التي ينبغي الانتباه " +"إليها:" #: managing-identities.page:79 msgid "" "See the <link xref=\"secure-connections\">Secure Connections</link> page for" " important information on how to secure your connection when logging in." msgstr "" +"راجع صفحة <link xref=\"secure-connections\">الاتصالات الآمنة</link> لمعلومات" +" مهمة حول كيفية تأمين اتصالك أثناء الولوج." #: managing-identities.page:87 msgid "" @@ -847,10 +851,15 @@ msgid "" "following the site’s recommended procedure for account recovery, or " "contacting the operators and explaining the situation." msgstr "" +"كثيرا ما يجعل متصفح تور اتصالاتك تبدو وكأنها قادمة من منطقة أخرى من العالم. " +"بعض المواقع، مثل البنوك أو خدمات البريد الإلكتروني، قد تفسر هذا على أنه مؤشر" +" على اختراق حسابك، وبالتالي تمنعك من الولوج. الحل الوحيد لهذه المشكلة هو " +"اتباع الإجراءات التي ينصح به الموقع لاستعادة الحساب، أو التواصل مع مشغلي " +"الموقع لتوضيح اللبس." #: managing-identities.page:101 msgid "Changing identities and circuits" -msgstr "" +msgstr "تغيير الهويات والدوائر" #. This is a reference to an external file such as an image or video. When #. the file changes, the md5 hash will change to let you know you need to @@ -862,12 +871,16 @@ msgid "" "external ref='media/managing-identities/new_identity.png' " "md5='15b01e35fa83185d94b57bf0ccf09d76'" msgstr "" +"external ref='media/managing-identities/new_identity.png' " +"md5='15b01e35fa83185d94b57bf0ccf09d76'" #: managing-identities.page:105 msgid "" "Tor Browser features “New Identity” and “New Tor Circuit for this Site” " "options, located in the Torbutton menu." msgstr "" +"يحتوي متصفح تور على خياري ”هوية جديدة“ و ”دائرة تور جديدة لهذا الموقع“، في " +"قائمة زر تور." #: managing-identities.page:111 msgid "New Identity" @@ -1081,7 +1094,7 @@ msgstr "" #: secure-connections.page:12 msgid "Secure Connections" -msgstr "" +msgstr "الاتصالات الآمنة" #: secure-connections.page:14 msgid "" @@ -1103,6 +1116,8 @@ msgid "" "external ref='media/secure-connections/https.png' " "md5='364bcbde7a649b0cea9ae178007c1a50'" msgstr "" +"external ref='media/secure-connections/https.png' " +"md5='364bcbde7a649b0cea9ae178007c1a50'" #: secure-connections.page:26 msgid ""

1 0

[translation/tor-browser-manual] Update translations for tor-browser-manual
by translation＠torproject.org 19 Jun '18

19 Jun '18

commit 85b8c8e40f448dacb8a315783e463a990c922fad Author: Translation commit bot <translation(a)torproject.org> Date: Tue Jun 19 11:18:45 2018 +0000 Update translations for tor-browser-manual --- ar/ar.po | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ar/ar.po b/ar/ar.po index fcbfa50a6..4345aeed8 100644 --- a/ar/ar.po +++ b/ar/ar.po @@ -759,6 +759,10 @@ msgid "" " be served over two different Tor circuits, so the tracker will not know " "that both connections originate from your browser." msgstr "" +"مع متصفح تور تتمركز تجربتك على الوب حول علاقتك بالموقع الموجود في شريط " +"العناوين. حتى إذا اتصلت بموقعين مختلفين يستخدمان نفس خدمة التعقب الخارجية، " +"فسيجبر متصفح تور أن يمر محتوى كل موقع عبر دائرتي تور مختلفتين، لذا لن يعرف " +"المتعقب أن كلا الاتصالين يأتي من متصفحك." #: managing-identities.page:38 msgid "" @@ -767,6 +771,9 @@ msgid "" "single website in separate tabs or windows, without any loss of " "functionality." msgstr "" +"ومن الناحية الأخرى، كل الاتصالات إلى عنوان موقع واحد تمر عبر نفس دائرة تور، " +"مما يعني أنك تستطيع تصفح صفحات مختلفة من نفس الموقع في ألسنة أو نوافذ منفصلة" +" دون أي تأثير على وظيفة الموقع." #. This is a reference to an external file such as an image or video. When #. the file changes, the md5 hash will change to let you know you need to @@ -778,16 +785,20 @@ msgid "" "external ref='media/managing-identities/circuit_full.png' " "md5='bd46d22de952fee42643be46d3f95928'" msgstr "" +"external ref='media/managing-identities/circuit_full.png' " +"md5='bd46d22de952fee42643be46d3f95928'" #: managing-identities.page:48 msgid "" "You can see a diagram of the circuit that Tor Browser is using for the " "current tab in the onion menu." msgstr "" +"يمكنك الاطلاع على رسم بياني بالدائرة التي يستخدمها متصفح تور للسان الحالي من" +" قائمة البصلة." #: managing-identities.page:55 msgid "Logging in over Tor" -msgstr "" +msgstr "الولوج عبر تور" #: managing-identities.page:56 msgid "" @@ -795,6 +806,9 @@ msgid "" "there may be situations in which it makes sense to use Tor with websites " "that require usernames, passwords, or other identifying information." msgstr "" +"بالرغم من أن متصفح تور مصمم ليتيح إخفاء هوية مستخدميه بشكل كامل على الوب، " +"إلا أنه أحيانا ما يكون من المفيد استخدام تور مع مواقع تتطلب أسماء مستخدمين " +"وكلمات سر، أو معلومات تعريفية أخرى." #: managing-identities.page:62 msgid "" @@ -805,6 +819,12 @@ msgid "" "you reveal to the websites you browse. Logging in using Tor Browser is also " "useful if the website you are trying to reach is censored on your network." msgstr "" +"عند ولوجك إلى موقع باستخدام متصفح عادي فأنت تكشف أيضا عن مكانك الجغرافي " +"وعنوان الإنترنت (IP). ونفس الشيء كثيرا ما يحدث عندما ترسل بريدا إلكترونيا. " +"لكن الولوج إلى حسابات شبكات التواصل الاجتماعي والبريد الإلكتروني من متصفح " +"تور يتيح لك التحكم في المعلومات التي تكشفها في نفسك للمواقع التي تتصفحها. " +"كما يفيد الولوج عبر متصفح تور إذا كان الموقع الذي تحاول الوصول إليه محجوبا " +"على شبكتك." #: managing-identities.page:72 msgid ""

1 0

[tor-browser-build/master] Bug 26362: Use old MAR format for update file creation
by boklm＠torproject.org 19 Jun '18

19 Jun '18

commit befc4910feb0eee2016e10000ed31e3fea7ef6b1 Author: Georg Koppen <gk(a)torproject.org> Date: Tue Jun 19 09:29:37 2018 +0000 Bug 26362: Use old MAR format for update file creation Mozilla switched from Bzip2 to LZMA as compression algorithm for MAR files during th Firefox 56. That means esr52-based Tor Browsers don't understand LZMA yet. Thus, we still use Bzip2 for the first esr60-based MAR files and switch afterwards to LZMA. --- Makefile | 8 ++++---- projects/tor-browser/build | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 4c21a83..80e9983 100644 --- a/Makefile +++ b/Makefile @@ -113,13 +113,13 @@ signtag-alpha: submodule-update incrementals-release: submodule-update $(rbm) build release --step update_responses_config --target release --target create_unsigned_incrementals tools/update-responses/download_missing_versions release - tools/update-responses/gen_incrementals release + MAR_OLD_FORMAT=1 tools/update-responses/gen_incrementals release $(rbm) build release --step hash_incrementals --target release incrementals-alpha: submodule-update $(rbm) build release --step update_responses_config --target alpha --target create_unsigned_incrementals tools/update-responses/download_missing_versions alpha - tools/update-responses/gen_incrementals alpha + MAR_OLD_FORMAT=1 tools/update-responses/gen_incrementals alpha $(rbm) build release --step hash_incrementals --target alpha update_responses-release: submodule-update @@ -134,13 +134,13 @@ dmg2mar-release: submodule-update $(rbm) build release --step update_responses_config --target release --target signed $(rbm) build release --step dmg2mar --target release --target signed tools/update-responses/download_missing_versions release - CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals release + CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 MAR_OLD_FORMAT=1 tools/update-responses/gen_incrementals release dmg2mar-alpha: submodule-update $(rbm) build release --step update_responses_config --target alpha --target signed $(rbm) build release --step dmg2mar --target alpha --target signed tools/update-responses/download_missing_versions alpha - CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha + CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 MAR_OLD_FORMAT=1 tools/update-responses/gen_incrementals alpha submodule-update: git submodule update --init diff --git a/projects/tor-browser/build b/projects/tor-browser/build index 19aa657..52678ed 100644 --- a/projects/tor-browser/build +++ b/projects/tor-browser/build @@ -268,6 +268,9 @@ popd cd $distdir [% IF c("var/build_mar") -%] + # Let's use the bzip2 format for now so that users can update to the first + # esr60-based Tor Browser. + export MAR_OLD_FORMAT=1 # Create full MAR file and compressed package. MAR_FILE=tor-browser-[% c("var/mar_osname") %]-[% c("var/torbrowser_version") %]_${PKG_LOCALE}.mar MAR=$MARTOOLS/mar MBSDIFF=$MARTOOLS/mbsdiff $MARTOOLS/make_full_update.sh -q $OUTDIR/$MAR_FILE "$TBDIR"

1 0

[translation/support-miscellaneous] Update translations for support-miscellaneous
by translation＠torproject.org 19 Jun '18

19 Jun '18

commit 06965d334607690e8f4225033327c8a5c5e911ff Author: Translation commit bot <translation(a)torproject.org> Date: Tue Jun 19 10:19:30 2018 +0000 Update translations for support-miscellaneous --- tr.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tr.json b/tr.json index 17f6be438..bda160471 100644 --- a/tr.json +++ b/tr.json @@ -9,12 +9,12 @@ "id": "#çeşitli-2", "control": "çeşitli-2", "title": "Kötü insanların, Tor kullanırken kötü şeyler yapmasını neden engellemiyorsunuz?", - "description": "<p class=\"mb-3\">Tor is designed to defend human rights and privacy by preventing anyone from censoring things, even us. We hate that there are some people who use Tor to do terrible things, but we can't do anything to get rid of them without also undermining the human rights activists, journalists, abuse survivors, and other people who use Tor for good things. If we wanted to block certain people from using Tor, we'd basically be adding a backdoor to the software, which would open up our vulnerable users to attacks from bad regimes and other adversaries.</p>" + "description": "<p class=\"mb-3\">Tor, insan haklarını ve gizliliği, herhangi birinin bir şeyleri, bizim bile, sansürlemesini engellemesi için tasarlanmıştır. Bazı insanların Tor'u kötü şeyler yapmak için kullanmasıdan nefret ediyoruz, fakat onlardan kurtlumak için bir şey yapamıyoruz, bu insan hakları aktivistlerinin, gazetecilerin, şiddet mağdurlarının ve Tor'u iyi amaçlar için kullanan diğer kişilerin de dışlanması anlamına geliyor. Belli insanların Tor'u kullanmasını engellemek isteseydik, yazılıma arka kapı bırakmış olacaktık, ki bu savunmasız kullanıcıları kötü rejimlerin ve diğer hasımların saldırılarına açmak demek.</p>" }, "misc-3": { - "id": "#misc-3", - "control": "misc-3", - "title": "Who funds Tor?", + "id": "#çeşitli-3", + "control": "çeşitli-3", + "title": "Tor'a kim kaynak sağlıyor?", "description": "<p class=\"mb-3\">Tor is funded by a number of different sponsors including US federal agencies, private foundations, and individual donors. Check out a list of all <mark><a href=\"https://www.torproject.org/about/sponsors.html.en\">our sponsors</a></mark> and a series of <mark><a href=\"https://blog.torproject.org/category/tags/form-990\">blog posts</a></mark> on our financial reports.</p><p class=\"mb-3\">We feel that talking openly about our funders and funding model is the best way to maintain trust with our community. We are always seeking more diversity in our funding sources, especially from foundations and individuals.</p>" }, "misc-4": {

1 0

[translation/tor-browser-manual] Update translations for tor-browser-manual
by translation＠torproject.org 19 Jun '18

19 Jun '18

commit 937613317afc8e8fce07b8a7e5d2a6d32c3800f0 Author: Translation commit bot <translation(a)torproject.org> Date: Tue Jun 19 09:48:43 2018 +0000 Update translations for tor-browser-manual --- ar/ar.po | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ar/ar.po b/ar/ar.po index 165e9c071..fcbfa50a6 100644 --- a/ar/ar.po +++ b/ar/ar.po @@ -742,10 +742,10 @@ msgid "" " Browser includes some additional features that help you control what " "information can be tied to your identity." msgstr "" -"استخدام شبكة Tor يمنع المتطفّلين من اكتشاف موقعك المحدد وعنوان شبكبتك الخاص," -" ولكن حتى بدون هذه المعلومات يمكنهم ربط اماكن مختلفة من نشاطك معا, لهذا " -"السبب, يشمل متصفّح Tor بعض الخاصيّات التي تساعدك على التحكّم بالمعلومات التي" -" يمكن ربطها بك." +"يمنع استخدام شبكة تور المتطفّلين من معرفة مكانك وعنوان الشبكة (IP)، ولكن حتى" +" بدون هذه المعلومات يمكنهم الربط بين أماكن نشاطك المختلفة. لهذا السبب يشمل " +"متصفّح تور بعض الخاصيّات التي تساعدك على التحكّم بالمعلومات التي يمكن ربطها " +"بك." #: managing-identities.page:29 msgid "The URL bar"

1 0

[translation/support-miscellaneous] Update translations for support-miscellaneous
by translation＠torproject.org 19 Jun '18

19 Jun '18

commit 980216f8d5abff903f5d0c546071c305c7da89ca Author: Translation commit bot <translation(a)torproject.org> Date: Tue Jun 19 09:19:39 2018 +0000 Update translations for support-miscellaneous --- tr.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tr.json b/tr.json index 504eaea38..17f6be438 100644 --- a/tr.json +++ b/tr.json @@ -3,12 +3,12 @@ "id": "#çeşitli-1", "control": "çeşitli-1", "title": "Zorunlu bir sebepten dolayı bir Tor kullanıcısını bulmalıyım. Yardım edebilir misiniz?", - "description": "<p class=\"mb-3\">There is nothing the Tor developers can do to trace Tor users. The same protections that keep bad people from breaking Tor's anonymity also prevent us from tracking users.</p>" + "description": "<p class=\"mb-3\">Tor geliştiricilerinin, Tor kullanıcılarını bulmak için yapabileceği hiçbir şey yok. Kötü insanların, Tor'un anonimliğini kırmasını engellemek için alınmış önlemler bizi kullanıcıların takibinden de alıkoymaktadır.</p>" }, "misc-2": { - "id": "#misc-2", - "control": "misc-2", - "title": "Why don't you prevent bad people from doing bad things when using Tor?", + "id": "#çeşitli-2", + "control": "çeşitli-2", + "title": "Kötü insanların, Tor kullanırken kötü şeyler yapmasını neden engellemiyorsunuz?", "description": "<p class=\"mb-3\">Tor is designed to defend human rights and privacy by preventing anyone from censoring things, even us. We hate that there are some people who use Tor to do terrible things, but we can't do anything to get rid of them without also undermining the human rights activists, journalists, abuse survivors, and other people who use Tor for good things. If we wanted to block certain people from using Tor, we'd basically be adding a backdoor to the software, which would open up our vulnerable users to attacks from bad regimes and other adversaries.</p>" }, "misc-3": {

1 0

[translation/support-miscellaneous] Update translations for support-miscellaneous
by translation＠torproject.org 19 Jun '18

19 Jun '18

commit 569e70732976e5dd361567f2f9d846dd5c51c46a Author: Translation commit bot <translation(a)torproject.org> Date: Tue Jun 19 08:49:27 2018 +0000 Update translations for support-miscellaneous --- tr.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tr.json b/tr.json index c29993d09..504eaea38 100644 --- a/tr.json +++ b/tr.json @@ -1,8 +1,8 @@ { "misc-1": { - "id": "#misc-1", - "control": "misc-1", - "title": "I have a compelling reason to trace a Tor user. Can you help?", + "id": "#çeşitli-1", + "control": "çeşitli-1", + "title": "Zorunlu bir sebepten dolayı bir Tor kullanıcısını bulmalıyım. Yardım edebilir misiniz?", "description": "<p class=\"mb-3\">There is nothing the Tor developers can do to trace Tor users. The same protections that keep bad people from breaking Tor's anonymity also prevent us from tracking users.</p>" }, "misc-2": {

1 0

[torbutton/master] Bug 26128: Adapt security slider to WebExtensions version of NoScript
by gk＠torproject.org 19 Jun '18

19 Jun '18

commit 3e1c144a729f373b3ee70fd8d2a16646b2b6ad12 Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Wed Jun 6 21:54:58 2018 -0700 Bug 26128: Adapt security slider to WebExtensions version of NoScript We try to maintain the same security slider behavior as for the legacy version of NoScript. This patch uses a few tricks: 1. Using a LegacyExtensionContext (defined in LegacyExtensionsUtils.jsm) to send JSON objects to NoScript via sendMessage. 2. Taking advantage of an existing invocation of browser.runtime.onMessage.addListener(...) in NoScript's code that accepts a JSON object for updating NoScript's settings. 3. Providing NoScript with settings for a "site" whose "domain" is "http:", which causes NoScript to match non-https sites. (Thanks to Sukhbir Singh for help.) --- src/chrome/content/torbutton.js | 2 + src/modules/noscript-control.js | 126 ++++++++++++++++++++++++++++++++++++++++ src/modules/security-prefs.js | 8 +-- 3 files changed, 131 insertions(+), 5 deletions(-) diff --git a/src/chrome/content/torbutton.js b/src/chrome/content/torbutton.js index 7f750bc..11548d4 100644 --- a/src/chrome/content/torbutton.js +++ b/src/chrome/content/torbutton.js @@ -11,6 +11,7 @@ let { Services } = Cu.import("resource://gre/modules/Services.jsm", {}); let { showDialog } = Cu.import("resource://torbutton/modules/utils.js", {}); let { getLocale, unescapeTorString } = Cu.import("resource://torbutton/modules/utils.js", {}); let SecurityPrefs = Cu.import("resource://torbutton/modules/security-prefs.js", {}); +let NoScriptControl = Cu.import("resource://torbutton/modules/noscript-control.js", {}); let { bindPrefAndInit, observe } = Cu.import("resource://torbutton/modules/utils.js", {}); Cu.importGlobalProperties(["XMLHttpRequest"]); @@ -242,6 +243,7 @@ function torbutton_init() { torbutton_log(3, 'called init()'); SecurityPrefs.initialize(); + NoScriptControl.initialize(); if (m_tb_wasinited) { return; diff --git a/src/modules/noscript-control.js b/src/modules/noscript-control.js new file mode 100644 index 0000000..6270efe --- /dev/null +++ b/src/modules/noscript-control.js @@ -0,0 +1,126 @@ +// # NoScript settings control (for binding to Security Slider) + +/* jshint esversion:6 */ + +// ## Utilities + +const { utils: Cu } = Components; +const { LegacyExtensionContext } = + Cu.import("resource://gre/modules/LegacyExtensionsUtils.jsm", {}); +const { bindPrefAndInit } = + Cu.import("resource://torbutton/modules/utils.js", {}); + +// ## NoScript settings + +// Minimum and maximum capability states as controlled by NoScript. +const max_caps = ["fetch", "font", "frame", "media", "other", "script", "webgl"]; +const min_caps = ["frame", "other"]; + +// Untrusted capabilities for [Standard, Safer, Safest] safety levels. +const untrusted_caps = [ + max_caps, // standard safety: neither http nor https + ["frame", "font", "other"], // safer: http + min_caps, // safest: neither http nor https +]; + +// Default capabilities for [Standard, Safer, Safest] safety levels. +const default_caps = [ + max_caps, // standard: both http and https + ["fetch", "font", "frame", "other", "script", "webgl"], // safer: https only + min_caps, // safest: both http and https +]; + +// __noscriptSettings(safetyLevel)__. +// Produces NoScript settings with policy according to +// the safetyLevel which can be: +// 0 = Standard, 1 = Safer, 2 = Safest +// +// At the "Standard" safety level, we leave all sites at +// default with maximal capabilities. Essentially no content +// is blocked. +// +// At "Safer", we set all http sites to untrusted, +// and all https sites to default. Scripts are only permitted +// on https sites. Neither type of site is supposed to allow +// media, but both allow fonts (as we used in legacy NoScript). +// +// At "Safest", all sites are at default with minimal +// capabilities. Most things are blocked. +let noscriptSettings = safetyLevel => ( + { + "type": "NoScript.updateSettings", + "policy": { + "DEFAULT": { + "capabilities": default_caps[safetyLevel], + "temp": false + }, + "TRUSTED": { + "capabilities": max_caps, + "temp": false + }, + "UNTRUSTED": { + "capabilities": untrusted_caps[safetyLevel], + "temp": false + }, + "sites": { + "trusted": [], + "untrusted": [[], ["http:"], []][safetyLevel], + "custom": {}, + "temp": [] + }, + "enforced": true, + "autoAllowTop": false + }, + "tabId": -1 + }); + +// ## Communications + +// The extension ID for NoScript (WebExtension) +const noscriptID = "{73a6fe31-595d-460b-a920-fcc0f8843232}"; + +// A mock extension object that can communicate with another extension +// via the WebExtensions sendMessage/onMessage mechanism. +let extensionContext = new LegacyExtensionContext({ id : noscriptID }); + +// The component that handles WebExtensions' sendMessage. +let messageManager = extensionContext.messenger.messageManagers[0]; + +// __setNoScriptSettings(settings)__. +// NoScript listens for internal settings with onMessage. We can send +// a new settings JSON object according to NoScript's +// protocol and these are accepted! See the use of +// `browser.runtime.onMessage.addListener(...)` in NoScript's bg/main.js. +let sendNoScriptSettings = settings => + extensionContext.messenger.sendMessage(messageManager, settings, noscriptID); + +// __setNoScriptSafetyLevel(safetyLevel)__. +// Set NoScript settings according to a particular safety level +// (security slider level): 0 = Standard, 1 = Safer, 2 = Safest +let setNoScriptSafetyLevel = safetyLevel => + sendNoScriptSettings(noscriptSettings(safetyLevel)); + +// ## Slider binding + +// __securitySliderToSafetyLevel(sliderState)__. +// Converts the "extensions.torbutton.security_slider" pref value +// to a "safety level" value: 0 = Standard, 1 = Safer, 2 = Safest +let securitySliderToSafetyLevel = sliderState => [undefined, 2, 1, 1, 0][sliderState]; + +// Ensure binding only occurs once. +let initialized = false; + +// __initialize()__. +// The main function that binds the NoScript settings to the security +// slider pref state. +var initialize = () => { + if (initialized) { + return; + } + bindPrefAndInit( + "extensions.torbutton.security_slider", + sliderState => setNoScriptSafetyLevel(securitySliderToSafetyLevel(sliderState))); +}; + +// Export initialize() function for external use. +let EXPORTED_SYMBOLS = ["initialize"]; diff --git a/src/modules/security-prefs.js b/src/modules/security-prefs.js index 3d3630b..d269a1f 100644 --- a/src/modules/security-prefs.js +++ b/src/modules/security-prefs.js @@ -16,19 +16,17 @@ let log = (level, msg) => logger.log(level, msg); // __kSecuritySettings__. // A table of all prefs bound to the security slider, and the value // for each security setting. Note that 2-m and 3-m are identical, -// corresponding to the old 2-medium-high setting. +// corresponding to the old 2-medium-high setting. We also separately +// bind NoScript settings to the extensions.torbutton.security_slider +// (see noscript-control.js). const kSecuritySettings = { // Preference name : [0, 1-high 2-m 3-m 4-low] "javascript.options.ion" : [, false, false, false, true ], "javascript.options.baselinejit" : [, false, false, false, true ], "javascript.options.native_regexp" : [, false, false, false, true ], - "noscript.forbidMedia" : [, true, true, true, false], "media.webaudio.enabled" : [, false, false, false, true ], "mathml.disabled" : [, true, true, true, false], "gfx.font_rendering.opentype_svg.enabled" : [, false, false, false, true ], - "noscript.global" : [, false, false, false, true ], - "noscript.globalHttpsWhitelist" : [, false, true, true, false], - "noscript.forbidFonts" : [, true, false, false, false], "svg.in-content.enabled" : [, false, true, true, true ], };

1 0

[torbutton/master] Merge remote-tracking branch 'arthur/26128+1'
by gk＠torproject.org 19 Jun '18

19 Jun '18

commit 1e43e9c6ed448d9ca91235c38f5ea0b4d43c71cb Merge: 65b5371 3e1c144 Author: Georg Koppen <gk(a)torproject.org> Date: Tue Jun 19 08:17:29 2018 +0000 Merge remote-tracking branch 'arthur/26128+1' src/chrome/content/torbutton.js | 2 + src/modules/noscript-control.js | 126 ++++++++++++++++++++++++++++++++++++++++ src/modules/security-prefs.js | 8 +-- 3 files changed, 131 insertions(+), 5 deletions(-)

1 0

[tor-browser/tor-browser-60.0.1esr-8.0-1] Bug 23247: Communicating security expectations for .onion
by gk＠torproject.org 19 Jun '18

19 Jun '18

commit 06fd55e2e061c7348f86d7f0ced3d64ffac9baad Author: Richard Pospesel <richard(a)torproject.org> Date: Fri Jun 8 13:38:40 2018 -0700 Bug 23247: Communicating security expectations for .onion Encrypting pages hosted on Onion Services with SSL/TLS is redundant (in terms of hiding content) as all traffic within the Tor network is already fully encrypted. Therefore, serving HTTP pages from an Onion Service is more or less fine. Prior to this patch, Tor Browser would mostly treat pages delivered via Onion Services as well as pages delivered in the ordinary fashion over the internet in the same way. This created some inconsistencies in behaviour and misinformation presented to the user relating to the security of pages delivered via Onion Services: - HTTP Onion Service pages did not have any 'lock' icon indicating the site was secure - HTTP Onion Service pages would be marked as unencrypted in the Page Info screen - Mixed-mode content restrictions did not apply to HTTP Onion Service pages embedding Non-Onion HTTP content This patch fixes the above issues, and also adds several new 'Onion' icons to the mix to indicate all of the various permutations of Onion Services hosted HTTP or HTTPS pages with HTTP or HTTPS content. Strings for Onion Service Page Info page are pulled from Torbutton's localization strings. --- browser/base/content/browser.js | 66 ++++++++++++++-------- browser/base/content/pageinfo/security.js | 57 +++++++++++++++---- .../shared/identity-block/identity-block.inc.css | 20 +++++++ .../shared/identity-block/onion-disabled.svg | 9 +++ .../themes/shared/identity-block/onion-lock.svg | 9 +++ browser/themes/shared/identity-block/onion.svg | 8 +++ browser/themes/shared/jar.inc.mn | 3 + dom/base/nsContentUtils.cpp | 21 +++++++ dom/base/nsContentUtils.h | 5 ++ dom/base/nsGlobalWindowOuter.cpp | 3 +- dom/presentation/PresentationRequest.cpp | 3 +- dom/security/nsMixedContentBlocker.cpp | 17 +++++- security/manager/ssl/nsSecureBrowserUIImpl.cpp | 57 +++++++++++-------- 13 files changed, 216 insertions(+), 62 deletions(-) diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js index 68bbe3af99e9..fbfbf3e809ca 100644 --- a/browser/base/content/browser.js +++ b/browser/base/content/browser.js @@ -7507,6 +7507,10 @@ var gIdentityHandler = { Services.prefs.getBoolPref("security.insecure_password.ui.enabled"); }, + get _uriIsOnionHost() { + return this._uriHasHost ? this._uri.host.toLowerCase().endsWith(".onion") : false; + }, + // smart getters get _identityPopup() { delete this._identityPopup; @@ -7806,12 +7810,12 @@ var gIdentityHandler = { get pointerlockFsWarningClassName() { // Note that the fullscreen warning does not handle _isSecureInternalUI. if (this._uriHasHost && this._isEV) { - return "verifiedIdentity"; + return this._uriIsOnionHost ? "onionVerifiedIdentity" : "verifiedIdentity"; } if (this._uriHasHost && this._isSecure) { - return "verifiedDomain"; + return this._uriIsOnionHost ? "onionVerifiedDomain" : "verifiedDomain"; } - return "unknownIdentity"; + return this._uriIsOnionHost ? "onionUnknownIdentity" : "unknownIdentity"; }, /** @@ -7832,9 +7836,10 @@ var gIdentityHandler = { let brandBundle = document.getElementById("bundle_brand"); icon_label = brandBundle.getString("brandShorterName"); } else if (this._uriHasHost && this._isEV) { - this._identityBox.className = "verifiedIdentity"; + let uriIsOnionHost = this._uriIsOnionHost; + this._identityBox.className = uriIsOnionHost ? "onionVerifiedIdentity" : "verifiedIdentity"; if (this._isMixedActiveContentBlocked) { - this._identityBox.classList.add("mixedActiveBlocked"); + this._identityBox.classList.add(uriIsOnionHost ? "onionMixedActiveBlocked" : "mixedActiveBlocked"); } if (!this._isCertUserOverridden) { @@ -7860,10 +7865,17 @@ var gIdentityHandler = { let extensionName = this._pageExtensionPolicy.name; icon_label = gNavigatorBundle.getFormattedString( "identity.extension.label", [extensionName]); - } else if (this._uriHasHost && this._isSecure) { - this._identityBox.className = "verifiedDomain"; + // _isSecure implicitly includes onion services, which may not have an SSL certificate + } else if (this._uriHasHost && this._isSecure && this._sslStatus != null) { + let uriIsOnionHost = this._uriIsOnionHost; + if (uriIsOnionHost) { + this._identityBox.className = this._sslStatus.serverCert.isSelfSigned ? "onionSelfSigned" : "onionVerifiedDomain"; + } else { + this._identityBox.className = "verifiedDomain"; + } + if (this._isMixedActiveContentBlocked) { - this._identityBox.classList.add("mixedActiveBlocked"); + this._identityBox.classList.add(uriIsOnionHost ? "onionMixedActiveBlocked" : "mixedActiveBlocked"); } if (!this._isCertUserOverridden) { // It's a normal cert, verifier is the CA Org. @@ -7878,31 +7890,37 @@ var gIdentityHandler = { // For net errors we should not show notSecure as it's likely confusing this._identityBox.className = "unknownIdentity"; } else { + let uriIsOnionHost = this._uriIsOnionHost; if (this._isBroken) { - this._identityBox.className = "unknownIdentity"; + this._identityBox.className = uriIsOnionHost ? "onionUnknownIdentity" : "unknownIdentity"; if (this._isMixedActiveContentLoaded) { - this._identityBox.classList.add("mixedActiveContent"); + this._identityBox.classList.add(uriIsOnionHost ? "onionMixedActiveContent" : "mixedActiveContent"); } else if (this._isMixedActiveContentBlocked) { - this._identityBox.classList.add("mixedDisplayContentLoadedActiveBlocked"); + this._identityBox.classList.add(uriIsOnionHost ? "onionMixedDisplayContentLoadedActiveBlocked" : "mixedDisplayContentLoadedActiveBlocked"); } else if (this._isMixedPassiveContentLoaded) { - this._identityBox.classList.add("mixedDisplayContent"); + this._identityBox.classList.add(uriIsOnionHost ? "onionMixedDisplayContent" : "mixedDisplayContent"); } else { this._identityBox.classList.add("weakCipher"); } } else { - let warnOnInsecure = Services.prefs.getBoolPref("security.insecure_connection_icon.enabled") || - (Services.prefs.getBoolPref("security.insecure_connection_icon.pbmode.enabled") && - PrivateBrowsingUtils.isWindowPrivate(window)); - let className = warnOnInsecure ? "notSecure" : "unknownIdentity"; - this._identityBox.className = className; - - let warnTextOnInsecure = Services.prefs.getBoolPref("security.insecure_connection_text.enabled") || - (Services.prefs.getBoolPref("security.insecure_connection_text.pbmode.enabled") && - PrivateBrowsingUtils.isWindowPrivate(window)); - if (warnTextOnInsecure) { - icon_label = gNavigatorBundle.getString("identity.notSecure.label"); - this._identityBox.classList.add("notSecureText"); + if (!uriIsOnionHost) { + let warnOnInsecure = Services.prefs.getBoolPref("security.insecure_connection_icon.enabled") || + (Services.prefs.getBoolPref("security.insecure_connection_icon.pbmode.enabled") && + PrivateBrowsingUtils.isWindowPrivate(window)); + let className = warnOnInsecure ? "notSecure" : "unknownIdentity"; + this._identityBox.className = className; + + let warnTextOnInsecure = Services.prefs.getBoolPref("security.insecure_connection_text.enabled") || + (Services.prefs.getBoolPref("security.insecure_connection_text.pbmode.enabled") && + PrivateBrowsingUtils.isWindowPrivate(window)); + if (warnTextOnInsecure) { + icon_label = gNavigatorBundle.getString("identity.notSecure.label"); + this._identityBox.classList.add("notSecureText"); + } + // http onion is secure + } else { + this._identityBox.className = "onionUnknownIdentity"; } } if (this._hasInsecureLoginForms) { diff --git a/browser/base/content/pageinfo/security.js b/browser/base/content/pageinfo/security.js index 2d6c5fb1d396..5a827488ccad 100644 --- a/browser/base/content/pageinfo/security.js +++ b/browser/base/content/pageinfo/security.js @@ -12,6 +12,10 @@ ChromeUtils.defineModuleGetter(this, "LoginHelper", ChromeUtils.defineModuleGetter(this, "PluralForm", "resource://gre/modules/PluralForm.jsm"); +XPCOMUtils.defineLazyGetter(this, "gTorButtonBundle", function() { + return Services.strings.createBundle("chrome://torbutton/locale/torbutton.properties"); +}); + var security = { init(uri, windowInfo) { this.uri = uri; @@ -48,6 +52,8 @@ var security = { (ui.state & Ci.nsIWebProgressListener.STATE_IS_INSECURE); var isEV = (ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL); + var isOnion = hostName.endsWith(".onion"); + ui.QueryInterface(nsISSLStatusProvider); var status = ui.SSLStatus; @@ -65,6 +71,7 @@ var security = { isBroken, isMixed, isEV, + isOnion, cert, certificateTransparency: undefined }; @@ -121,6 +128,7 @@ var security = { isBroken, isMixed, isEV, + isOnion, cert: null, certificateTransparency: null }; @@ -257,20 +265,49 @@ function securityOnLoad(uri, windowInfo) { } msg2 = pkiBundle.getString("pageInfo_Privacy_None2"); } else if (info.encryptionStrength > 0) { - hdr = pkiBundle.getFormattedString("pageInfo_EncryptionWithBitsAndProtocol", - [info.encryptionAlgorithm, - info.encryptionStrength + "", - info.version]); + if (!info.isOnion) { + hdr = pkiBundle.getFormattedString("pageInfo_EncryptionWithBitsAndProtocol", + [info.encryptionAlgorithm, + info.encryptionStrength + "", + info.version]); + } else { + try { + hdr = gTorButtonBundle.formatStringFromName("pageInfo_OnionEncryptionWithBitsAndProtocol", + [info.encryptionAlgorithm, + info.encryptionStrength + "", + info.version], 3); + } catch(err) { + hdr = "Connection Encrypted (Onion Service, " + + info.encryptionAlgorithm + + ", " + + info.encryptionStrength + + " bit keys, " + + info.version + + ")"; + } + } msg1 = pkiBundle.getString("pageInfo_Privacy_Encrypted1"); msg2 = pkiBundle.getString("pageInfo_Privacy_Encrypted2"); security._cert = info.cert; } else { - hdr = pkiBundle.getString("pageInfo_NoEncryption"); - if (info.hostName != null) - msg1 = pkiBundle.getFormattedString("pageInfo_Privacy_None1", [info.hostName]); - else - msg1 = pkiBundle.getString("pageInfo_Privacy_None4"); - msg2 = pkiBundle.getString("pageInfo_Privacy_None2"); + if (!info.isOnion) { + hdr = pkiBundle.getString("pageInfo_NoEncryption"); + if (info.hostName != null) { + msg1 = pkiBundle.getFormattedString("pageInfo_Privacy_None1", [info.hostName]); + } else { + msg1 = pkiBundle.getString("pageInfo_Privacy_None4"); + } + msg2 = pkiBundle.getString("pageInfo_Privacy_None2"); + } else { + try { + hdr = gTorButtonBundle.GetStringFromName("pageInfo_OnionEncryption"); + } catch (err) { + hdr = "Connection Encrypted (Onion Service)"; + } + + msg1 = pkiBundle.getString("pageInfo_Privacy_Encrypted1"); + msg2 = pkiBundle.getString("pageInfo_Privacy_Encrypted2"); + } } setText("security-technical-shortform", hdr); setText("security-technical-longform1", msg1); diff --git a/browser/themes/shared/identity-block/identity-block.inc.css b/browser/themes/shared/identity-block/identity-block.inc.css index ac85070708c4..36bab9f13715 100644 --- a/browser/themes/shared/identity-block/identity-block.inc.css +++ b/browser/themes/shared/identity-block/identity-block.inc.css @@ -200,6 +200,26 @@ visibility: visible; } +#urlbar[pageproxystate="valid"] > #identity-box.onionUnknownIdentity > #connection-icon, +#urlbar[pageproxystate="valid"] > #identity-box.onionSelfSigned > #connection-icon { + list-style-image: url(chrome://browser/skin/onion.svg); + visibility: visible; +} + +#urlbar[pageproxystate="valid"] > #identity-box.onionVerifiedDomain > #connection-icon, +#urlbar[pageproxystate="valid"] > #identity-box.onionVerifiedIdentity > #connection-icon, +#urlbar[pageproxystate="valid"] > #identity-box.onionMixedActiveBlocked > #connection-icon { + list-style-image: url(chrome://browser/skin/onion-lock.svg); + visibility: visible; +} + +#urlbar[pageproxystate="valid"] > #identity-box.onionMixedActiveContent > #connection-icon, +#urlbar[pageproxystate="valid"] > #identity-box.onionMixedDisplayContentLoadedActiveBlocked > #connection-icon, +#urlbar[pageproxystate="valid"] > #identity-box.onionMixedDisplayContent > #connection-icon { + list-style-image: url(chrome://browser/skin/onion-disabled.svg); + visibility: visible; +} + #identity-box.extensionPage > #extension-icon { list-style-image: url(chrome://mozapps/skin/extensions/extensionGeneric-16.svg); visibility: visible; diff --git a/browser/themes/shared/identity-block/onion-disabled.svg b/browser/themes/shared/identity-block/onion-disabled.svg new file mode 100644 index 000000000000..f5b20a87a923 --- /dev/null +++ b/browser/themes/shared/identity-block/onion-disabled.svg @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<svg width="16px" height="16px" viewBox="0 0 16 16" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> + <title>onion-disabled</title> + <defs></defs> + <g id="onion-disabled" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> + <path d="M3.55670557,13.5290809 C2.58943965,12.7067569 2,11.5773827 2,10.2383803 C2,8.40140797 3.11044937,6.84614642 4.80245393,5.95790561 C4.86922061,5.92314081 4.937062,5.88953483 5.00557508,5.85697179 C5.34048317,5.68140952 5.95495153,5.31464081 6.18735866,4.8796172 C6.261514,4.74090562 6.26057363,4.55305979 6.20885297,4.4070476 C6.11172559,4.13310092 5.57517408,3.53792744 5.57517408,3.53792744 L6.39988357,3 L7.47070238,3.38224206 C7.23186151,2.5028722 6.97233174,1.62308364 8.87366696,4.4408921e-16 L8.87366696,0.000113687544 C8.14572562,0.965320936 8.77600936,1.33867083 8.69392696,2.02329722 C9.36752565,0.933374736 10.7903253,0.789787368 11.8884333,0.334923505 C10.6431583,1.59850841 9.72300609,3.05795044 8.87524898,3.88361241 L9.6358507,4.15511863 C9.6358507,4.15511863 9.27501511,4.42489353 9.52743882,4.95911272 C9.65035936,5.21926936 9.85710767,5.38741514 10.0560643,5.49588134 C10.2394376,5.55069385 10.4187806,5.61269109 10.5936905,5.68164129 C10.7858529,5.7574053 10.972 3418,5.84145128 11.1524919,5.93329454 L3.55670557,13.5290809 Z M5.3590214,14.5551922 L12.7674177,7.1467959 C13.5406039,7.99044704 14,9.05632625 14,10.2383803 C14,13.0968586 11.3137496,15 8,15 C7.05229776,15 6.15591919,14.8443406 5.3590214,14.5551922 Z" id="Combined-Shape" fill="#4A4A4A" fill-rule="nonzero"></path> + <path d="M13.7928932,1.29289322 C14.1834175,0.902368927 14.8165825,0.902368927 15.2071068,1.29289322 C15.5976311,1.68341751 15.5976311,2.31658249 15.2071068,2.70710678 L2.70710678,15.2071068 C2.31658249,15.5976311 1.68341751,15.5976311 1.29289322,15.2071068 C0.902368927,14.8165825 0.902368927,14.1834175 1.29289322,13.7928932 L13.7928932,1.29289322 Z" id="Line-2" fill="#D92D21" fill-rule="nonzero"></path> + </g> +</svg> diff --git a/browser/themes/shared/identity-block/onion-lock.svg b/browser/themes/shared/identity-block/onion-lock.svg new file mode 100644 index 000000000000..c88247eb19d7 --- /dev/null +++ b/browser/themes/shared/identity-block/onion-lock.svg @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<svg width="16px" height="16px" viewBox="0 0 16 16" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> + <title>onion+lock</title> + <defs></defs> + <g id="onion+lock" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> + <path d="M6.12228848,14.9544711 C3.22461281,14.6498012 1,12.8396709 1,10.2383803 C1,8.40140797 2.11044937,6.84614642 3.80245393,5.95790561 C3.86922061,5.92314081 3.937062,5.88953483 4.00557508,5.85697179 C4.34048317,5.68140952 4.95495153,5.31464081 5.18735866,4.8796172 C5.261514,4.74090562 5.26057363,4.55305979 5.20885297,4.4070476 C5.11172559,4.13310092 4.57517408,3.53792744 4.57517408,3.53792744 L5.39988357,3 L6.47070238,3.38224206 C6.23186151,2.5028722 5.97233174,1.62308364 7.87366696,0 L7.87366696,0.000113687544 C7.14572562,0.965320936 7.77600936,1.33867083 7.69392696,2.02329722 C8.36752565,0.933374736 9.79032527,0.789787368 10.8884333,0.334923505 C9.64315826,1.59850841 8.72300609,3.05795044 7.87524898,3.88361241 L8.6358507,4.15511863 C8.6358507,4.15511863 8.27501511,4.42489353 8.52743882,4.95911272 C8.56957789,5.04829846 8.6215686,5.12667085 8.67971976,5.19553247 C7.54569301,5.94640706 6.80000003,7.23368269 6.80000003,8.70000013 L6.80000003,8.80234816 C6.31732959,9.1249 1448 6,9.67479474 6,10.3000002 L6,14.3000003 C6,14.530995 6.04331804,14.7517071 6.12228848,14.9544711 Z" id="Combined-Shape" fill="#589A0F" fill-rule="nonzero"></path> + <path d="M11.0000002,5.5 C9.22720009,5.5 7.80000003,6.92720006 7.80000003,8.70000013 L7.80000003,9.50000016 C7.35680001,9.50000016 7,9.85680017 7,10.3000002 L7,14.3000003 C7,14.7432004 7.35680001,15.1000004 7.80000003,15.1000004 L14.2000003,15.1000004 C14.6432003,15.1000004 15.0000003,14.7432004 15.0000003,14.3000003 L15.0000003,10.3000002 C15.0000003,9.85680017 14.6432003,9.50000016 14.2000003,9.50000016 L14.2000003,8.70000013 C14.2000003,6.92720006 12.7728002,5.5 11.0000002,5.5 Z M11.0000002,7.10000006 C11.8864002,7.10000006 12.6000002,7.81360009 12.6000002,8.70000013 L12.6000002,9.50000016 L9.4000001,9.50000016 L9.4000001,8.70000013 C9.4000001,7.81360009 10.1136001,7.10000006 11.0000002,7.10000006 Z" id="Shape" fill="#589A0F" fill-rule="nonzero"></path> + </g> +</svg> diff --git a/browser/themes/shared/identity-block/onion.svg b/browser/themes/shared/identity-block/onion.svg new file mode 100644 index 000000000000..e102f41c5991 --- /dev/null +++ b/browser/themes/shared/identity-block/onion.svg @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<svg width="16px" height="16px" viewBox="0 0 16 16" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> + <title>onion</title> + <defs></defs> + <g id="onion" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> + <path d="M7.47070238,3.38224206 C7.23186151,2.5028722 6.97233174,1.62308364 8.87366696,4.4408921e-16 L8.87366696,0.000113687544 C8.14572562,0.965320936 8.77600936,1.33867083 8.69392696,2.02329722 C9.36752565,0.933374736 10.7903253,0.789787368 11.8884333,0.334923505 C10.6431583,1.59850841 9.72300609,3.05795044 8.87524898,3.88361241 L9.6358507,4.15511863 C9.6358507,4.15511863 9.27501511,4.42489353 9.52743882,4.95911272 C9.65035936,5.21926936 9.85710767,5.38741514 10.0560643,5.49588134 C10.2394376,5.55069385 10.4187806,5.61269109 10.5936905,5.68164129 C12.6087813,6.47613299 14,8.18134675 14,10.2383803 C14,13.0968586 11.3137496,15 8,15 C4.68625036,15 2,13.0968586 2,10.2383803 C2,8.40140797 3.11044937,6.84614642 4.80245393,5.95790561 C4.86922061,5.92314081 4.937062,5.88953483 5.00557508,5.85697179 C5.34048317,5.68140952 5.95495153,5.31464081 6.18735866,4.8796172 C6.261514,4.74090562 6.26057363,4.55305979 6.20885297,4.4070476 C6.11172559,4.13310092 5.57517408,3.53792744 5.57517408 ,3.53792744 L6.39988357,3 L7.47070238,3.38224206 Z" id="Combined-Shape" fill="#589A0F" fill-rule="nonzero"></path> + </g> +</svg> diff --git a/browser/themes/shared/jar.inc.mn b/browser/themes/shared/jar.inc.mn index 17debd82ddcd..3f59d7bfac19 100644 --- a/browser/themes/shared/jar.inc.mn +++ b/browser/themes/shared/jar.inc.mn @@ -45,6 +45,9 @@ skin/classic/browser/connection-secure.svg (../shared/identity-block/connection-secure.svg) skin/classic/browser/connection-mixed-passive-loaded.svg (../shared/identity-block/connection-mixed-passive-loaded.svg) skin/classic/browser/connection-mixed-active-loaded.svg (../shared/identity-block/connection-mixed-active-loaded.svg) + skin/classic/browser/onion.svg (../shared/identity-block/onion.svg) + skin/classic/browser/onion-lock.svg (../shared/identity-block/onion-lock.svg) + skin/classic/browser/onion-disabled.svg (../shared/identity-block/onion-disabled.svg) skin/classic/browser/identity-icon.svg (../shared/identity-block/identity-icon.svg) skin/classic/browser/identity-icon-notice.svg (../shared/identity-block/identity-icon-notice.svg) skin/classic/browser/info.svg (../shared/info.svg) diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index 63e1ac06bf2d..8257283e65a2 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -10039,6 +10039,27 @@ nsContentUtils::HttpsStateIsModern(nsIDocument* aDocument) return false; } +/* static */ bool +nsContentUtils::DocumentHasOnionURI(nsIDocument* aDocument) +{ + if (!aDocument) { + return false; + } + + nsIURI* uri = aDocument->GetDocumentURI(); + if (!uri) { + return false; + } + + nsAutoCString host; + if (NS_SUCCEEDED(uri->GetHost(host))) { + bool hasOnionURI = StringEndsWith(host, NS_LITERAL_CSTRING(".onion")); + return hasOnionURI; + } + + return false; +} + /* static */ void nsContentUtils::TryToUpgradeElement(Element* aElement) { diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index 9ef79a569ea3..246dabf340de 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -3050,6 +3050,11 @@ public: static bool HttpsStateIsModern(nsIDocument* aDocument); /** + * Returns true of the document's URI is a .onion + */ + static bool DocumentHasOnionURI(nsIDocument* aDocument); + + /** * Try to upgrade an element. * https://html.spec.whatwg.org/multipage/custom-elements.html#concept-try-upg… */ diff --git a/dom/base/nsGlobalWindowOuter.cpp b/dom/base/nsGlobalWindowOuter.cpp index 7d947b653f70..e4b847406085 100644 --- a/dom/base/nsGlobalWindowOuter.cpp +++ b/dom/base/nsGlobalWindowOuter.cpp @@ -1495,7 +1495,8 @@ nsGlobalWindowOuter::ComputeIsSecureContext(nsIDocument* aDocument, SecureContex return false; } - if (nsContentUtils::HttpsStateIsModern(aDocument)) { + if (nsContentUtils::HttpsStateIsModern(aDocument) || + nsContentUtils::DocumentHasOnionURI(aDocument)) { return true; } diff --git a/dom/presentation/PresentationRequest.cpp b/dom/presentation/PresentationRequest.cpp index 4c00150a359d..577aa3dd739e 100644 --- a/dom/presentation/PresentationRequest.cpp +++ b/dom/presentation/PresentationRequest.cpp @@ -512,7 +512,8 @@ PresentationRequest::IsProhibitMixedSecurityContexts(nsIDocument* aDocument) nsCOMPtr<nsIDocument> doc = aDocument; while (doc && !nsContentUtils::IsChromeDoc(doc)) { - if (nsContentUtils::HttpsStateIsModern(doc)) { + if (nsContentUtils::HttpsStateIsModern(doc) || + nsContentUtils::DocumentHasOnionURI(doc)) { return true; } diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index adc0bfd80e88..7b0e5088a4de 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -694,7 +694,7 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; } - // Check the parent scheme. If it is not an HTTPS page then mixed content + // Check the parent scheme. If it is not an HTTPS or .onion page then mixed content // restrictions do not apply. bool parentIsHttps; nsCOMPtr<nsIURI> innerRequestingLocation = NS_GetInnermostURI(requestingLocation); @@ -711,8 +711,19 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; } if (!parentIsHttps) { - *aDecision = ACCEPT; - return NS_OK; + nsAutoCString parentHost; + rv = innerRequestingLocation->GetHost(parentHost); + if (NS_FAILED(rv)) { + NS_ERROR("requestingLocation->GetHost failed"); + *aDecision = REJECT_REQUEST; + return NS_OK; + } + + bool parentIsOnion = StringEndsWith(parentHost, NS_LITERAL_CSTRING(".onion")); + if (!parentIsOnion) { + *aDecision = ACCEPT; + return NS_OK; + } } nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(aRequestingContext); diff --git a/security/manager/ssl/nsSecureBrowserUIImpl.cpp b/security/manager/ssl/nsSecureBrowserUIImpl.cpp index a2f24df7c4af..336901f0226e 100644 --- a/security/manager/ssl/nsSecureBrowserUIImpl.cpp +++ b/security/manager/ssl/nsSecureBrowserUIImpl.cpp @@ -294,36 +294,35 @@ static uint32_t GetSecurityStateFromSecurityInfoAndRequest(nsISupports* info, uint32_t securityState; nsCOMPtr<nsITransportSecurityInfo> psmInfo(do_QueryInterface(info)); + MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - info is %p\n", + (nsISupports *)info)); if (!psmInfo) { MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - no nsITransportSecurityInfo for %p\n", (nsISupports *)info)); - return nsIWebProgressListener::STATE_IS_INSECURE; + securityState = nsIWebProgressListener::STATE_IS_INSECURE; + } else { + res = psmInfo->GetSecurityState(&securityState); + if (NS_FAILED(res)) { + MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - GetSecurityState failed: %" PRIu32 "\n", + static_cast<uint32_t>(res))); + securityState = nsIWebProgressListener::STATE_IS_BROKEN; + } } - MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - info is %p\n", - (nsISupports *)info)); - res = psmInfo->GetSecurityState(&securityState); - if (NS_FAILED(res)) { - MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - GetSecurityState failed: %" PRIu32 "\n", - static_cast<uint32_t>(res))); - securityState = nsIWebProgressListener::STATE_IS_BROKEN; + nsCOMPtr<nsIURI> uri; + nsCOMPtr<nsIChannel> channel(do_QueryInterface(request)); + if (channel) { + channel->GetURI(getter_AddRefs(uri)); + } else { + nsCOMPtr<imgIRequest> imgRequest(do_QueryInterface(request)); + if (imgRequest) { + imgRequest->GetURI(getter_AddRefs(uri)); + } } - if (securityState != nsIWebProgressListener::STATE_IS_INSECURE) { - // A secure connection does not yield a secure per-uri channel if the - // scheme is plain http. - - nsCOMPtr<nsIURI> uri; - nsCOMPtr<nsIChannel> channel(do_QueryInterface(request)); - if (channel) { - channel->GetURI(getter_AddRefs(uri)); - } else { - nsCOMPtr<imgIRequest> imgRequest(do_QueryInterface(request)); - if (imgRequest) { - imgRequest->GetURI(getter_AddRefs(uri)); - } - } - if (uri) { + if (uri) { + // http and ftp are always insecure + if (securityState != nsIWebProgressListener::STATE_IS_INSECURE) { bool isHttp, isFtp; if ((NS_SUCCEEDED(uri->SchemeIs("http", &isHttp)) && isHttp) || (NS_SUCCEEDED(uri->SchemeIs("ftp", &isFtp)) && isFtp)) { @@ -332,6 +331,18 @@ static uint32_t GetSecurityStateFromSecurityInfoAndRequest(nsISupports* info, securityState = nsIWebProgressListener::STATE_IS_INSECURE; } } + + // any protocol routed over tor is secure + if (securityState != nsIWebProgressListener::STATE_IS_SECURE) { + nsAutoCString host; + if (NS_SUCCEEDED(uri->GetHost(host))) { + if (StringEndsWith(host, NS_LITERAL_CSTRING(".onion"))) { + MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - " + "uri is onion.\n")); + securityState = nsIWebProgressListener::STATE_IS_SECURE; + } + } + } } MOZ_LOG(gSecureDocLog, LogLevel::Debug, ("SecureUI: GetSecurityState: - Returning %d\n",

1 0