Opened 3 years ago

Last modified 22 months ago

#21004 new defect

"JavaScript is disabled by default on all non-HTTPS sites" option shouldn't block JS on hidden services

Reported by: righnaw Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security-slider
Cc: nido Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

"JavaScript is disabled by default on all non-HTTPS sites" option shouldn't block JS on hidden services

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by cypherpunks

Why? There are a lot of onion sites that relay on java script and use https, too, such as https://facebookcorewwwi.onion/

comment:2 Changed 3 years ago by gk

Keywords: tbb-security-slider added

comment:3 in reply to:  1 Changed 3 years ago by righnaw

Replying to cypherpunks:

Why? There are a lot of onion sites that relay on java script and use https, too, such as https://facebookcorewwwi.onion/

But onion services already offer end to end encryption just like https, so they should be treated the same way, right?

comment:4 Changed 3 years ago by i139

the problem isn't only the encryption, but also the identity authentication, a CA never will authentific a untrusted site, like a fake site, clone site or whatever like those

comment:5 Changed 22 months ago by micah

This happens with Riseup's onion version of webmail (roundcube): http://zsolxunfmbfuq7wf.onion

If you login to the site with the TBB security settings set to Medium, javascript is disabled because it is not using https. This results in severe degradation in functionality of the site, so much so that you cannot even logout.

Either we have a way of issuing certificates for onion sites, or we should whitelist this restriction when using onion sites, otherwise you get the worst of both worlds :)

Last edited 22 months ago by micah (previous) (diff)

comment:6 Changed 22 months ago by tom

Hm. I wonder why #21321 didn't resolve this?

comment:7 in reply to:  6 ; Changed 22 months ago by arma

Replying to tom:

Hm. I wonder why #21321 didn't resolve this?

I thought the patches for #21321 just disabled the new firefox "yell extra loud if they're about to submit something over http" features when you're on an onion site. And that there were more steps to be taken if you want the browser to actually treat onion sites as being like https in all ways.

comment:8 in reply to:  7 Changed 22 months ago by gk

Replying to arma:

Replying to tom:

Hm. I wonder why #21321 didn't resolve this?

I thought the patches for #21321 just disabled the new firefox "yell extra loud if they're about to submit something over http" features when you're on an onion site. And that there were more steps to be taken if you want the browser to actually treat onion sites as being like https in all ways.

Correct.

comment:9 Changed 22 months ago by boklm

Cc: nido added

#24143 is a duplicate.

Note: See TracTickets for help on using tickets.