GitLab

at 2023-11-06T21:22:17+00:00

fixup! Bug 23247: Communicating security expectations for .onion

Bug 42231: Improve the network monitor patch for http onion resources

     const {

       securityState,

-      urlDetails: { isLocal },

+      urlDetails: { host, isLocal },

     } = item;

     const iconClassList = ["requests-security-state-icon"];

     // Locally delivered files such as http://localhost and file:// paths

     // are considered to have been delivered securely.

-    if (isLocal) {

+    if (

+      isLocal ||

+      (host?.endsWith(".onion") &&

+        Services.prefs.getBoolPref("dom.securecontext.allowlist_onions", false))

+    ) {

       realSecurityState = "secure";

     }

     // The request did not contain any security info.

     if (!securityInfo) {

-      if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {

-        info.state = "secure";

-      }

       return info;

     }

         // schemes other than https and wss are subject to

         // downgrade/etc at the scheme level and should always be

         // considered insecure

-        if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {

-          info.state = "secure";

-        } else {

-          info.state = "insecure";

-        }

+        info.state = "insecure";

       } else if (state & wpl.STATE_IS_SECURE) {

         // The connection is secure if the scheme is sufficient

         info.state = "secure";

ma1 pushed to branch tor-browser-115.4.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits:

2 changed files:

Changes: