[tor-commits] [tor-browser/tor-browser-68.1.0esr-9.0-2] fixup! Bug 23247: Communicating security expectations for .onion

gk at torproject.org gk at torproject.org
Fri Oct 11 20:40:42 UTC 2019 

commit dece7a15a8703596366c54f4420bd7286c66b10f
Author: Alex Catarineu <acat at torproject.org>
Date:   Fri Sep 20 12:48:40 2019 +0200

    fixup! Bug 23247: Communicating security expectations for .onion
---
 browser/base/content/browser-siteIdentity.js   |  4 +++
 docshell/base/nsDocShell.cpp                   |  4 ++-
 security/manager/ssl/nsSecureBrowserUIImpl.cpp | 46 ++++++++++++++++----------
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/browser/base/content/browser-siteIdentity.js b/browser/base/content/browser-siteIdentity.js
index 12d9a29bf512..9da2e289b86d 100644
--- a/browser/base/content/browser-siteIdentity.js
+++ b/browser/base/content/browser-siteIdentity.js
@@ -612,6 +612,10 @@ var gIdentityHandler = {
    * built-in (returns false) or imported (returns true).
    */
   _hasCustomRoot() {
+    if (!this._secInfo) {
+      return false;
+    }
+
     let issuerCert = null;
     // Walk the whole chain to get the last cert.
     // eslint-disable-next-line no-empty
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 578a06d61a83..7f3d8a3e0542 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -63,6 +63,7 @@
 #include "mozilla/dom/ChildSHistory.h"
 #include "mozilla/dom/nsCSPContext.h"
 #include "mozilla/dom/LoadURIOptionsBinding.h"
+#include "mozilla/dom/nsMixedContentBlocker.h"
 
 #include "mozilla/net/ReferrerPolicy.h"
 #include "mozilla/net/UrlClassifierFeatureFactory.h"
@@ -5583,7 +5584,8 @@ nsDocShell::GetAllowMixedContentAndConnectionData(
     // aRootHasSecureConnection should be false.
     nsCOMPtr<nsIURI> rootUri = rootPrincipal->GetURI();
     if (nsContentUtils::IsSystemPrincipal(rootPrincipal) || !rootUri ||
-        !SchemeIsHTTPS(rootUri)) {
+        (!SchemeIsHTTPS(rootUri) &&
+         !nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(rootUri))) {
       *aRootHasSecureConnection = false;
     }
 
diff --git a/security/manager/ssl/nsSecureBrowserUIImpl.cpp b/security/manager/ssl/nsSecureBrowserUIImpl.cpp
index 2aba013650f0..ea1dfca20b6b 100644
--- a/security/manager/ssl/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/ssl/nsSecureBrowserUIImpl.cpp
@@ -9,6 +9,7 @@
 #include "mozilla/Logging.h"
 #include "mozilla/Unused.h"
 #include "mozilla/dom/Document.h"
+#include "mozilla/dom/nsMixedContentBlocker.h"
 #include "nsContentUtils.h"
 #include "nsIChannel.h"
 #include "nsDocShell.h"
@@ -246,8 +247,8 @@ static nsresult URICanBeConsideredSecure(
     return rv;
   }
 
-  nsAutoCString host;
-  bool isOnion = NS_SUCCEEDED(innermostURI->GetHost(host)) && StringEndsWith(host, NS_LITERAL_CSTRING(".onion"));
+  bool isOnion =
+      nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(innermostURI);
 
   canBeConsideredSecure = isHttps || isOnion;
 
@@ -314,24 +315,35 @@ nsresult nsSecureBrowserUIImpl::UpdateStateAndSecurityInfo(nsIChannel* channel,
     if (NS_FAILED(rv)) {
       return rv;
     }
-    // If the security state is STATE_IS_INSECURE, the TLS handshake never
-    // completed. Don't set any further state.
-    if (mState == STATE_IS_INSECURE) {
-      return NS_OK;
+    // Skip setting some state if mState == STATE_IS_INSECURE (TLS handshake
+    // never completed). But do not return in that case, since a
+    // STATE_IS_INSECURE can still be changed later to STATE_IS_SECURE if it's
+    // routed over tor (.onion).
+    if (mState != STATE_IS_INSECURE) {
+      mTopLevelSecurityInfo = securityInfo;
+      MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
+              ("  set mTopLevelSecurityInfo"));
+      bool isEV;
+      rv = mTopLevelSecurityInfo->GetIsExtendedValidation(&isEV);
+      if (NS_FAILED(rv)) {
+        return rv;
+      }
+      if (isEV) {
+        MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, ("  is EV"));
+        mState |= STATE_IDENTITY_EV_TOPLEVEL;
+      }
     }
+  }
 
-    mTopLevelSecurityInfo = securityInfo;
-    MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug,
-            ("  set mTopLevelSecurityInfo"));
-    bool isEV;
-    rv = mTopLevelSecurityInfo->GetIsExtendedValidation(&isEV);
-    if (NS_FAILED(rv)) {
-      return rv;
-    }
-    if (isEV) {
-      MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, ("  is EV"));
-      mState |= STATE_IDENTITY_EV_TOPLEVEL;
+  // any protocol routed over tor is secure
+  if ((mState & STATE_IS_SECURE) == 0) {
+    if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(uri)) {
+      MOZ_LOG(gSecureBrowserUILog, LogLevel::Debug, ("  URI is onion"));
+      mState = STATE_IS_SECURE;
     }
+  }
+
+  if (mState != STATE_IS_INSECURE) {
     // Proactively check for mixed content in case GetState() is never called
     // (this can happen when loading from the BF cache).
     CheckForMixedContent();

More information about the tor-commits mailing list