Opened 3 years ago

Closed 3 years ago

#19995 closed defect (fixed)

New Identity does not clear HSTS state anymore

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-newnym, tbb-torbutton, GeorgKoppen201608, TorBrowserTeam201608R
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A while back Mozilla changed the way site security preferences are handled. The permission manager is not responsible for them anymore. This affects clearing HSTS (and possibly other state) on New Identity: it does not get deleted anymore.
This is a spin-off of #18589

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by gk

Cc: arthuredelstein added; arthuredelsteint removed
Keywords: GeorgKoppen201608 TorBrowserTeam201608R added
Status: newneeds_review

While working on the design document I stumbled over #18589 again and after looking at it a bit at least the NEWNYM issue seemed trivially to fix. A patch is in my bug_19995_v2 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_19995_v2).

comment:2 Changed 3 years ago by bugzilla

on New Identity: it does not get deleted anymore.

Can you confirm that? Because it does clear SiteSecurityServiceState.txt (by invoking Clear All History / Site Preferences somehow). And Firefox should do that then, otherwise there is something for uplifting.

NEWNYM issue seemed trivially to fix.

Retained state after exiting can be treated as newnym violation, so could you also provide a patch for clearing/deleting SiteSecurityServiceState.txt (as a workaround)?
(Maybe, even explain to Mozilla that exiting the browser should be treated as exiting PB and even PBM.)

Last edited 3 years ago by bugzilla (previous) (diff)

comment:3 in reply to:  1 ; Changed 3 years ago by mcs

Replying to gk:

While working on the design document I stumbled over #18589 again and after looking at it a bit at least the NEWNYM issue seemed trivially to fix. A patch is in my bug_19995_v2 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_19995_v2).

This patch looks good to me.
I don't know the answers to the questions raised on comment:2, but it does seem like no data should be written to SiteSecurityServiceState.txt when in PBM or, as suggested by bugzilla, Mozilla should treat a browser exit as an exit from PBM.

comment:4 in reply to:  3 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to mcs:

Replying to gk:

While working on the design document I stumbled over #18589 again and after looking at it a bit at least the NEWNYM issue seemed trivially to fix. A patch is in my bug_19995_v2 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_19995_v2).

This patch looks good to me.
I don't know the answers to the questions raised on comment:2, but it does seem like no data should be written to SiteSecurityServiceState.txt when in PBM or, as suggested by bugzilla, Mozilla should treat a browser exit as an exit from PBM.

We have #18589 for fixing the underlying problem and that should be something for uplifting then, yes. Fixed on maser (commit 6dc853740b0e2be39f17b1a1857f2610de42548c) and maint-1.9.5 (commit 3c04ec4654270f2896db0efffc4bc72edc2e3018).

Note: See TracTickets for help on using tickets.