[tor-bugs] #21323 [Applications/Tor Browser]: Activate mixed content blocking
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Feb 3 21:28:08 UTC 2017
#21323: Activate mixed content blocking
--------------------------------------+------------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201701R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------
Changes (by arthuredelstein):
* status: needs_information => needs_review
Comment:
Replying to [comment:2 gk]:
> Replying to [ticket:21323 arthuredelstein]:
> > I'm informed that HTTPS-Everywhere has likely disabled any rules that
break with mixed content blocking for active content, as suggested in
https://bugzilla.mozilla.org/show_bug.cgi?id=878890#c20.
>
> What does "likely" mean? And where can I find out more about that
change?
I think I misspoke here. But I've done some further investigation. I
searched the HTTPS Everywhere codebase and found 1258/22080 rulesets (5%)
contain `platform="mixedcontent"` attribute. These run only if active
mixed content is allowed, as in Tor Browser.
I had further discussions with legind and I think he makes a pretty good
argument that we should be blocking active mixed content nonetheless:
> I think for the sites that will have their rulesets disabled by flipping
the "mixedcontent" bit, their security will be downgraded a little. But
their security is already compromised by the fact that active mixed
content is being loaded on the page, which seems a huge downside. And for
sites that aren't included in HTTPS Everywhere, ensuring active mixed
content is not loaded on the page is a big win
Additionally, I think Tor Browser needs to be especially careful about
this because of the potential for script injection by exit nodes.
I created a demo page to test loading of mixed content in Tor Browser:
https://arthuredelstein.github.io/tordemos/mixed-content.html
Results are as follows:
* Low Security: Script is loaded and run over http.
* Medium Security: Script is not loaded (http scripts are blocked by
NoScript).
* High Security: Script is not loaded (all scripts are blocked by
NoScript).
When using High Security and visiting an https site, I often run into a
page that is broken without scripts. In that case I will sometimes click
on the NoScript button and select "Temporarily allow all this page",
because it seems relatively safe on an https site. But note in this demo,
doing that results in a script being loaded over http and running.
So at the very least I think we should be blocking mixed active content at
High Security, and my feeling is we should probably blocked mixed active
content at all security levels.
Potentially, we could also patch HTTPS Everywhere to add a pref that
enables the `platform="mixedcontent"` rulesets even when active mixed
content is being blocked. We could enable this pref at Medium and High
Security for maximum protection.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21323#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list