Re: [tor-bugs] #28005 [Applications/Tor Browser]: Officially support onions in HTTPS-Everywhere

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#28005: Officially support onions in HTTPS-Everywhere
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs, https-everywhere, network-   |  Actual Points:  18
  team-roadmap-november, network-team-roadmap-   |
  2020Q1, TorBrowserTeam202003R, ux-team         |
Parent ID:  #30029                               |         Points:  20
 Reviewer:  mcs, sysrqb, antonela                |        Sponsor:
                                                 |  Sponsor27-must
-------------------------------------------------+-------------------------

Comment (by mcs):

 Replying to [comment:34 acat]:
 > The issue with
 https://trac.torproject.org/projects/tor/ticket/21952#comment:117 would
 also affect this one, so I made a small revision to not use
 `onStateChange` and use `onLocationChange` instead:
 https://github.com/acatarineu/tor-browser/commit/28005+3.

 Good catch. Just a few more comments from Kathy and me:

 Is there a version of HTTPS-E available that supports the new
 `get_simple_rules_ending_with` API? When we tested with HTTPS-E 2020.3.16
 we saw some strange behavior, but if that is supposed to work we can try
 again.

 Related to `browser/components/onionservices/HttpsEverywhereControl.jsm`:
 * Should we open a new ticket for the "lock the channel to prevent user
 changes" issue? Is it a foot gun? I guess the idea is that we do not want
 users to substitute their own URL, etc. with the SecureDrop ruleset. On
 the other hand, I think users can add their own .tor.onion rules.
 * In `getRulesetTimestamp()` please add a comment to explain the structure
 of the rulesets returned by HTTPS-E via `get_ruleset_timestamps` (or maybe
 the comment can point to some HTTPS-E doc or code). For example, why do we
 have `return securedrop[1];`?

 Related to `browser/components/onionservices/OnionAliasStore.jsm`:
 * Within the `_periodicRulesetCheck()` comment s/preferrable/preferable/
 * Within the `init()` comment: s/a http observer/an http observer/
 * In the "Found ruleset" debugging output, there is a space after the
 first timestamp, e.g., `OnionAlias: Found ruleset timestamp 1582940785 ,
 current is 1582940785`. I wonder if you can use string substitutions to
 construct the log messages instead of a list of JS values
 (https://developer.mozilla.org/en-
 US/docs/Web/API/Console#Using_string_substitutions).

 Related to Torbutton's `chrome/content/tor-circuit-display.js`:
 * Within `xmlTree() the `let element =` block is indented too much.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28005#comment:35>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs