Bug 19850: Disable Plaintext HTTP Clearnet Connections (!256) · Merge requests · The Tor Project / Applications / Tor Browser

Pier Angelo Vendrame requested to merge pierov/tor-browser:bug_19850 into tor-browser-91.6.0esr-11.5-1 Feb 16, 2022

As discussed on #19850 (closed), it is time for us to force Tor Browser traffic to go on HTTPS only.

As reported by Arthur on #19850 (comment 2772089), Firefox's HTTPS-Only mode can coexist with HTTPS-Everywhere, so we can enable it as soon as possible.

In this MR, I also redefined dom.security.https_only_mode.upgrade_onion to be false, even though it already is. I do not see why Mozilla should change this, but I discussed that on IRC, and we decided to do so, to be on the safe side.

I expressed other questions on #19850 (comment 2777613), especially about dom.security.https_only_mode_send_http_background_request.

It makes sense to me to keep it enabled (see the comment, and the attached paper).

We could disable it for Safer/Safest modes, but that would be a different MR on torbutton 🙂.

Bug 19850: Disable Plaintext HTTP Clearnet Connections

Merge request reports