Opened 2 years ago

Last modified 2 years ago

#21728 new enhancement

Features that are made "HTTPS-only" should be available on .onion sites as well

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Firefox 49 is adding an isSecureContext attribute (https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext) we should make sure it returns true on .onion sites as well.

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by yawning

Cc: yawning added

Can this be made opt-in? I don't really think Tor Browser should support any of the APIs that require Secure Contexts in the first place, even with HTTPS...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

comment:2 in reply to:  1 Changed 2 years ago by gk

Replying to yawning:

Can this be made opt-in? I don't really think Tor Browser should support any of the APIs that require Secure Contexts in the first place, even with HTTPS...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

If it turns out to be the case that we think an API is to be disabled in an HTTPS context it won't be available on .onion sites either. This bug is more about stopping to bind isSecureContext to HTTPS.

Note: See TracTickets for help on using tickets.