[tbb-bugs] #30237 [Applications/Tor Browser]: Tor Browser: Improve TBB UI of hidden service client authorization

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 21 10:24:42 UTC 2019

#30237: Tor Browser: Improve TBB UI of hidden service client authorization
 Reporter:  asn                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201905      |  Actual Points:
Parent ID:  #30000                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor27-must

Comment (by acat):

 Replying to [comment:6 mcs]:
 > The mockups from comment:2 show a prompt that is contained entirely
 within the content area. How concerned should we be about the "line of
 death" issue (https://textslashplain.com/2017/01/14/the-line-of-death/)?
 It seems like a bad idea to implement a prompt that any site could easily
 spoof, but there are tradeoffs to consider.
 > This question came up as Kathy and I looked at various options within
 the Firefox codebase for implementing the client auth prompt. We might be
 able to use a doorhanger that includes an arrow that overlaps the chrome
 area (thus avoiding the "line of death" problem). But doorhangers within
 Firefox are designed for optional interactions and entering a key for
 client auth is not optional.
 > We could use the prompt service (which is what HTTP basic auth uses),
 but the prompts that are available to us are not very flexible. It might
 be a lot of work to achieve the look we want; for example, I am not sure
 how to implement the inline validation requirement.  A final option is to
 just implement an xhtml page (similar to what Firefox uses for network
 error pages) where the entire prompt is contained within the content area.
 That would give us the most flexibility, but of course "line of death" is
 an issue.
 > Antonela and others: what do you think?

 Interesting read :)

 How difficult would it be to have a new kind of prompt/modal that mimics
 HTTP auth behaviour, but with the style/layout of the Onion Auth mockups?
 For behaviour I mean darkening the background (also above line of death)
 and blocking the browser UI.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30237#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list