[tor-bugs] #28174 [Applications/Tor Browser]: Block non-.onion subresources on .onion websites?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 25 20:59:51 UTC 2018
#28174: Block non-.onion subresources on .onion websites?
--------------------------------------+--------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by tom):
I think there are two constituents here: The onion server, and the Browser
user.
Our primary goal should be to serve the browser user.
Where it's easy and simple, we can serve the onion server. But these
suggestions are not comprehensive, and Tor Browser will never be a
comprehensive onion audit tool. I would instead advocate for improving the
tool onionscan https://onionscan.org/ where it is possible (although that
also, cannot be comprehensive...)
Focusing on the browser user, I think it's fair to treat any non-onion
resource as Mixed Content on an onion, regardless of HTTP/HTTPS status.
There are three levels of Mixed Content Blocking:
- None
- Active (blocks scripts, allows images)
- Full (blocks scripts and images)
There's also the security slider. I would suggest that when the security
slider is at High, we perform Full blocking. It provides a smaller attack
surface for the browser user.
When the slider is not at High; I would advocate for either Active or Full
Blocking. Probably Active.
* I personally would ignore the situation of a HTTPS onion including from
a HTTP onion and give this no special treatment (that is to say it's fine,
and it loads fine.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28174#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list