[tor-bugs] #32645 [Applications/Tor Browser]: Update URL bar onion indicators

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 12 23:54:32 UTC 2020 

#32645: Update URL bar onion indicators
--------------------------------------------+------------------------------
 Reporter:  antonela                        |          Owner:  pospeselr
     Type:  defect                          |         Status:  needs_review
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ux-team, TorBrowserTeam202002R  |  Actual Points:
Parent ID:  #30025                          |         Points:
 Reviewer:                                  |        Sponsor:
                                            |  Sponsor27-must
--------------------------------------------+------------------------------
Changes (by pospeselr):

 * status:  assigned => needs_review


Comment:

 Ok, once again implemented as a fixup commit on
 7d3475febd37ae2b35432105f5e4c0da30852bc6. We needed to add the Onion+Slash
 icon for Onion firstparty and HTTP active content (javascript). I also
 simplified things a bit as there is no reason to have special logic or css
 rules for self-signed onion sites.

 -----

 This patch alone is not sufficient for all scenarios.

 We need to rework when the user-override screen comes up, as currently
 self-signed HTTPS onionsites and HTTPS onionsites with unknown certificate
 authorities will pop a warning page that the user has to manually click
 through (basically the behaviour on the clearnet for these pages: https
 ://self-signed.badssl.com/ and https://untrusted-root.badssl.com/ ). I'm
 intending to fix this problem in a separate patch for #13410.

 HTTP Onion sites with clearnet HTTP forms do not currently trigger a popup
 warning on form submission (see clearnet version here: https://mixed-
 form.badssl.com/ ). It seems firefox only does this on HTTPS pages so we
 need to make it so it does this on HTTP onionsites as well. I'll file a
 new bug for this issue and parent it to #30005.

 I'm currently testing this patch with the following onionsite scenarios
 and all is working as expected apart from the previously mentioned issues:

 - HTTP Onion
 - HTTPS Onion Self-Signed
 - HTTPS Onion Unknown CA
 - HTTPS Onion EV
 - HTTPS Onion Wrong Domain
 - HTTP(S) Onion + HTTP Script
 - HTTP(S) Onion + HTTP Content
 - HTTP(S) Onion + HTTPS Content
 - HTTP(S) Onion + HTTP Form

 If you can think of any weird scenarios I nee to think about do let me
 know!

 tor-browser: https://gitweb.torproject.org/user/richard/tor-
 browser.git/commit/?h=bug_32645_v2

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32645#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list