Opened 3 years ago

Last modified 6 months ago

#21728 new enhancement

Features that are made "HTTPS-only" should be available on .onion sites as well

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27

Description

Firefox 49 is adding an isSecureContext attribute (https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext) we should make sure it returns true on .onion sites as well.

Child Tickets

TicketTypeStatusOwnerSummary
#27313enhancementnewtbb-teamHelp NoScript marking HTTP .onions as secure
#28478enhancementnewtbb-teamEnable http2 for .onion without https
#29705defectnewtbb-teamEnable Brotli compression for .onion domains

Change History (3)

comment:1 Changed 3 years ago by yawning

Cc: yawning added

Can this be made opt-in? I don't really think Tor Browser should support any of the APIs that require Secure Contexts in the first place, even with HTTPS...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

comment:2 in reply to:  1 Changed 3 years ago by gk

Replying to yawning:

Can this be made opt-in? I don't really think Tor Browser should support any of the APIs that require Secure Contexts in the first place, even with HTTPS...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

If it turns out to be the case that we think an API is to be disabled in an HTTPS context it won't be available on .onion sites either. This bug is more about stopping to bind isSecureContext to HTTPS.

comment:3 Changed 6 months ago by gk

Sponsor: Sponsor27
Note: See TracTickets for help on using tickets.