[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+

#8774: Disable mixed content rulesets on FF 23+
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  pde            
     Type:  defect                |         Status:  new            
 Priority:  critical              |      Milestone:  HTTPS-E 4.0dev8
Component:  EFF-HTTPS Everywhere  |        Version:                 
 Keywords:                        |         Parent:  #6975          
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------

Comment(by mikeperry):

 For Tor's use case, the current mixed content blocking in Firefox offers
 no significant benefit as-is. The "active vs passive content" blocking
 distinction does not reflect the realities of the capabilities of cookie
 theft adversaries, and the use of nsIContentPolicy makes the security
 properties subject to the irregular behaviors and incomplete coverage of
 that API.

 If Tor Browser were to head in the partial content blocking direction, it
 would be to disable *all* Javascript from non-https schemes regardless of
 the sourcing scheme, and provide our own doorhanger UI to enable scripts
 for that first party url bar domain if the user desired. (NoScript is
 somewhat capable of doing this for us already, but the UX is abysmal and
 not in any way related to the first party url.)

 Under this model, we would want to leave these HTTPS-Everywhere mixed
 content rules enabled, and we would simply entirely disable the native
 insecure partial mixed content blocking in Tor Browser. I imagine vanilla
 Firefox users who use both HTTPS-Everywhere and NoScript would be in favor
 of an option to keep these rules enabled for this "no javascript over
 http" usage patten, as well.

 In fact, since HTTPS-Everywhere already implements an http-on-modify-
 request observer, we could pretty much disable whatever Firefox does and
 re-implement it easier, cleaner, and more securely from our own observer.
 Then we could provide the user with multiple options: Full, strict mixed
 content blocking; https-only Javascript loading; and Firefox-style
 insecure partial blocking and rule neutering.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8774#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs