[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-128.2.0esr-14.0-1] fixup! Bug 23247: Communicating security expectations for .onion

To: tor-commits@xxxxxxxxxxxxxxxxxxxx

Subject: [tor-commits] [Git][tpo/applications/tor-browser][tor-browser-128.2.0esr-14.0-1] fixup! Bug 23247: Communicating security expectations for .onion

From: "Pier Angelo Vendrame \(@pierov\) via tor-commits" <tor-commits@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 29 Aug 2024 08:24:40 +0000

Auto-submitted: auto-generated

Cc: "Pier Angelo Vendrame \(@pierov\)" <git@xxxxxxxxxxxxxxxxxxxxx>

Delivered-to: archiver@xxxxxxxx

Delivery-date: Thu, 29 Aug 2024 04:24:53 -0400

Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1724919889; bh=iRibyK2V6VcvR9QHMHQEPjl6mNIFi5rBg2cZsYGLUkY=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=hpPtENBNNeGXR+oBTQL53rurS9M6a+DenncxLZSFtyD//S+uI8SUIBC57CUrXIq8i WQRTipLiMmh7VcLfDlOf7qY5xwS8FIB8ayc9IljAwsxZ8zsdUTvpkDAH1N3Idz2d0W J49DN2FphzyBWGSbv1Bjq9tXf0pEaLVKh1IdS/4S+cKaZV0s5eHAqzRBP8SkpGU8kS KCqENqlUN8aN134Q42QIDlOooVpMg1MZxLHZKX4/1ywoldZEWMK4bsO4IA2yfzgwk0 QYPXbrxnjvou4/+d4j+7+k7JqA5bq1/eT9svhJKrKuH2fMFo4y0NigQv4i4WCo+1Fh AIL65/XoOiZgQ==

List-archive: <http://lists.torproject.org/pipermail/tor-commits/>

List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>

List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>

List-post: <mailto:tor-commits@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>

Reply-to: noreply@xxxxxxxxxxxxxx

Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

Title: GitLab

Pier Angelo Vendrame pushed to branch tor-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

df421101

by Pier Angelo Vendrame at 2024-08-29T10:15:34+02:00

fixup! Bug 23247: Communicating security expectations for .onion

Bug 42743: Check for .onion in the actual document URI in pageInfo.

One of our patches checks whether we are in a .onion domain when
showing the security information in pageInfo.xhtml.
However, it checks it in the requested URI rather than doing it on the
actually loaded URI, therefore about:neterror is shown as a secure
Onion service, which is not consistent with failures in loading
clearnet domains with HTTPS.

1 changed file:

browser/base/content/pageinfo/security.js

Changes:

browser/base/content/pageinfo/security.js

@@ -53,16 +53,15 @@ var security = {
        (Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT |
          Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT);
      var isEV = ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
 -    var isOnion = false;
 -    let hostName;
 -    try {
 -      hostName = Services.eTLD.getBaseDomain(this.uri);
 -    } catch (e) {
 -      hostName = this.windowInfo.hostName;
 -    }
 -    if (hostName && hostName.endsWith(".onion")) {
 -      isOnion = true;
 +    let uriInformation = new URL(gDocInfo.documentURIObject.spec);
 +    // If the Onion site could not be loaded, the view-source will be also be
 +    // about:neterror.
 +    if (uriInformation.protocol == "view-source:") {
 +      uriInformation = new URL(uriInformation.pathname);
+     }
 +    const isOnion =
 +      ["http:", "https:"].includes(uriInformation.protocol) &&
 +      uriInformation.hostname.endsWith(".onion");
      let retval = {
        cAName: "",

_______________________________________________ tor-commits mailing list tor-commits@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits