Opened 3 years ago

Last modified 8 months ago

#21728 new enhancement

Features that are made "HTTPS-only" should be available on .onion sites as well

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor27

Description

Firefox 49 is adding an isSecureContext attribute (https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext) we should make sure it returns true on .onion sites as well.

Child Tickets

TicketTypeStatusOwnerSummary
#21004defectclosedtbb-team"JavaScript is disabled by default on all non-HTTPS sites" option shouldn't block JS on hidden services
#27307defectclosedtbb-teamNoScript marks HTTP Onion as insecure
#27313enhancementclosedtbb-teamHelp NoScript marking HTTP .onions as secure
#28478enhancementnewtbb-teamEnable http2 for .onion without https
#29705defectnewtbb-teamEnable Brotli compression for .onion domains
#31899tasknewtbb-teamHook .onion with URI_IS_POTENTIALLY_TRUSTWORTHY?

Change History (3)

comment:1 Changed 3 years ago by yawning

Cc: yawning added

Can this be made opt-in? I don't really think Tor Browser should support any of the APIs that require Secure Contexts in the first place, even with HTTPS...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

comment:2 in reply to:  1 Changed 3 years ago by gk

Replying to yawning:

Can this be made opt-in? I don't really think Tor Browser should support any of the APIs that require Secure Contexts in the first place, even with HTTPS...

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

If it turns out to be the case that we think an API is to be disabled in an HTTPS context it won't be available on .onion sites either. This bug is more about stopping to bind isSecureContext to HTTPS.

comment:3 Changed 8 months ago by gk

Sponsor: Sponsor27
Note: See TracTickets for help on using tickets.