[tbb-bugs] #24616 [Applications/Tor Browser]: Audit the use of IsSecureContext to avoid bleeding http/https origins
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 14 07:03:29 UTC 2017
#24616: Audit the use of IsSecureContext to avoid bleeding http/https origins
--------------------------------------+--------------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [ticket:24616 tom]:
> http://example.com and https://example.com are different origins and do
not share state (cookies, etc)
>
> If TB edits IsSecureContext to make .onion secure,
Why should we want to do that? I deliberately avoided that when fixing
#21321 because messing with secure contexts in an .onion context is risky
(for one it needs a spec update as https://w3c.github.io/webappsec-secure-
contexts/ does not treat .onion as secure context). And it seems to me we
can avoid that at a fairly low cost by treating it as potentially
trustworthy. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1382359
where Christoph said this approach looks good to him. FWIW: I still plan
to provide the second half of the patch for that bug this year.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24616#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list