[tbb-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 12 00:30:51 UTC 2018


#21537: Consider ignoring secure cookies for .onion addresses
-------------------------------------------------+-------------------------
 Reporter:  micah                                |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability,                       |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by pospeselr):

 Replying to [comment:14 arthuredelstein]:
 > Replying to [comment:13 gk]:
 > > Replying to [comment:12 pospeselr]:
 > > > Change looks good, only thing I'd suggest is moving the block at
 3340 a couple lines up before the Telemetry::Accumulate call ( since the
 enum seems to be a question of cookie security, rather than http(s) ).
 > > >
 > > > I also verified the hostURI that's passed in is already normalized,
 so we don't have to worry about case insensitive string compare.
 > >
 > > Thanks. I added the suggested change in `bug_21537_v3`
 (https://gitweb.torproject.org/user/gk/tor-
 browser.git/log/?h=bug_21537_v3). Let me know if that still looks good.
 >
 > The code looks good to me, but I would suggest factoring out the
 security checks (which are repeated in three places) by creating a static
 function like:
 > `bool IsSecureHost(nsIURI *aHostURI)`
 > that returns true for both https and .onion URIs.

 Yeah I'd agree with this.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21537#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list