[tor-bugs] #24616 [Applications/Tor Browser]: Audit the use of IsSecureContext to avoid bleeding http/https origins
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 13 17:41:08 UTC 2017
#24616: Audit the use of IsSecureContext to avoid bleeding http/https origins
------------------------------------------+----------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
http://example.com and https://example.com are different origins and do
not share state (cookies, etc)
If TB edits IsSecureContext to make .onion secure, it may be the case that
the origin separation checks use IsSecureContext and thus data will bleed
between them. That would be bad.
We could probably talk to Kate about this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24616>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list