[tor-bugs] #33726 [Applications/Tor Browser]: Fix patch for #23247: Communicating security expectations for .onion

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 25 17:24:00 UTC 2020 

#33726: Fix patch for #23247: Communicating security expectations for .onion
------------------------------------------+--------------------------------
     Reporter:  acat                      |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
                                          |  TorBrowserTeam202003
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+--------------------------------
 While working on #33533 I realized that in the switch to ESR68 (#30429)
 the patch for #23247 was ported incorrectly. The original patch for ESR60
 was `651e4ef7de3e` and the mistake was introduced in revision
 https://github.com/acatarineu/tor-browser/commits/30429+6 (see comment in
 https://trac.torproject.org/projects/tor/ticket/30429#comment:26).

 My understanding is that in the original patch, the block of `if
 (isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) {`
 was moved from https://github.com/acatarineu/tor-
 browser/commit/651e4ef7de3e#diff-b6c711bd6646bb39271394da3fc55d0cL754 to
 https://github.com/acatarineu/tor-browser/commit/651e4ef7de3e#diff-
 b6c711bd6646bb39271394da3fc55d0cR737 in order to allow mixed contents in
 workers for the .onion case (which would get disallowed otherwise).

 However, in ESR68 there's `IsPotentiallyTrustworthyOrigin` with includes
 `IsPotentiallyTrustworthyOnion`. So, I think this block:
 https://github.com/acatarineu/tor-
 browser/commit/6301359f2742d070b1b4149d13c388e96b1b8080#diff-
 b6c711bd6646bb39271394da3fc55d0cL778 should not be removed, since it's not
 the same as the one that is added in https://github.com/acatarineu/tor-
 browser/commit/6301359f2742d070b1b4149d13c388e96b1b8080#diff-
 b6c711bd6646bb39271394da3fc55d0cR771.

 I think this is not a security issue, the result of this bug is that we
 are  not allowing cases that we should (all cases of
 `IsPotentiallyTrustworthyOrigin` that are not `.onion`).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33726>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list