Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #33726
Closed (moved) (moved)
Open
Created Mar 25, 2020 by Alex Catarineu@acat

Fix patch for #23247: Communicating security expectations for .onion

While working on #33533 (moved) I realized that in the switch to ESR68 (#30429 (moved)) the patch for #23247 (moved) was ported incorrectly. The original patch for ESR60 was 651e4ef7de3e and the mistake was introduced in revision https://github.com/acatarineu/tor-browser/commits/30429+6 (see comment in https://trac.torproject.org/projects/tor/ticket/30429#comment:26).

My understanding is that in the original patch, the block of if (isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) { was moved from https://github.com/acatarineu/tor-browser/commit/651e4ef7de3e#diff-b6c711bd6646bb39271394da3fc55d0cL754 to https://github.com/acatarineu/tor-browser/commit/651e4ef7de3e#diff-b6c711bd6646bb39271394da3fc55d0cR737 in order to allow mixed contents in workers for the .onion case (which would get disallowed otherwise).

However, in ESR68 there's IsPotentiallyTrustworthyOrigin with includes IsPotentiallyTrustworthyOnion. So, I think this block: https://github.com/acatarineu/tor-browser/commit/6301359f2742d070b1b4149d13c388e96b1b8080#diff-b6c711bd6646bb39271394da3fc55d0cL778 should not be removed, since it's not the same as the one that is added in https://github.com/acatarineu/tor-browser/commit/6301359f2742d070b1b4149d13c388e96b1b8080#diff-b6c711bd6646bb39271394da3fc55d0cR771.

I think this is not a security issue, the result of this bug is that we are not allowing cases that we should (all cases of IsPotentiallyTrustworthyOrigin that are not .onion).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking