Why? There are a lot of onion sites that relay on java script and use https, too, such as https://facebookcorewwwi.onion/
But onion services already offer end to end encryption just like https, so they should be treated the same way, right?
the problem isn't only the encryption, but also the identity authentication, a CA never will authentific a untrusted site, like a fake site, clone site or whatever like those
If you login to the site with the TBB security settings set to Medium, javascript is disabled because it is not using https. This results in severe degradation in functionality of the site, so much so that you cannot even logout.
Either we have a way of issuing certificates for onion sites, or we should whitelist this restriction when using onion sites, otherwise you get the worst of both worlds :)
I thought the patches for legacy/trac#21321 (moved) just disabled the new firefox "yell extra loud if they're about to submit something over http" features when you're on an onion site. And that there were more steps to be taken if you want the browser to actually treat onion sites as being like https in all ways.
I thought the patches for legacy/trac#21321 (moved) just disabled the new firefox "yell extra loud if they're about to submit something over http" features when you're on an onion site. And that there were more steps to be taken if you want the browser to actually treat onion sites as being like https in all ways.
Fixed with the bump to 11.0.4 (commit 6cbbd55840577c4d3ab5581e76cffde26a5f5ff6 and 8623975e60c99b2a526bbda133168d7de5f8d329 on tor-browser-build's maint-9.0 and master branches), thanks!
Trac: Resolution: N/Ato fixed Status: new to closed Keywords: N/Adeleted, TorBrowserTeam201910R added