Opened 2 years ago

Last modified 2 years ago

#24616 new defect

Audit the use of IsSecureContext to avoid bleeding http/https origins

Reported by: tom Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

http://example.com and https://example.com are different origins and do not share state (cookies, etc)

If TB edits IsSecureContext to make .onion secure, it may be the case that the origin separation checks use IsSecureContext and thus data will bleed between them. That would be bad.

We could probably talk to Kate about this.

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:2 in reply to:  description Changed 2 years ago by gk

Replying to tom:

http://example.com and https://example.com are different origins and do not share state (cookies, etc)

If TB edits IsSecureContext to make .onion secure,

Why should we want to do that? I deliberately avoided that when fixing #21321 because messing with secure contexts in an .onion context is risky (for one it needs a spec update as https://w3c.github.io/webappsec-secure-contexts/ does not treat .onion as secure context). And it seems to me we can avoid that at a fairly low cost by treating it as potentially trustworthy. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1382359 where Christoph said this approach looks good to him. FWIW: I still plan to provide the second half of the patch for that bug this year.

Note: See TracTickets for help on using tickets.