Pier Angelo Vendrame pushed to branch tor-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits: df421101 by Pier Angelo Vendrame at 2024-08-29T10:15:34+02:00 fixup! Bug 23247: Communicating security expectations for .onion

Bug 42743: Check for .onion in the actual document URI in pageInfo.

One of our patches checks whether we are in a .onion domain when showing the security information in pageInfo.xhtml. However, it checks it in the requested URI rather than doing it on the actually loaded URI, therefore about:neterror is shown as a secure Onion service, which is not consistent with failures in loading clearnet domains with HTTPS.

- - - - -

1 changed file:

- browser/base/content/pageinfo/security.js

Changes:

===================================== browser/base/content/pageinfo/security.js ===================================== @@ -53,16 +53,15 @@ var security = { (Ci.nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT | Ci.nsIWebProgressListener.STATE_LOADED_MIXED_DISPLAY_CONTENT); var isEV = ui.state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL; - var isOnion = false; - let hostName; - try { - hostName = Services.eTLD.getBaseDomain(this.uri); - } catch (e) { - hostName = this.windowInfo.hostName; - } - if (hostName && hostName.endsWith(".onion")) { - isOnion = true; + let uriInformation = new URL(gDocInfo.documentURIObject.spec); + // If the Onion site could not be loaded, the view-source will be also be + // about:neterror. + if (uriInformation.protocol == "view-source:") { + uriInformation = new URL(uriInformation.pathname); } + const isOnion = + ["http:", "https:"].includes(uriInformation.protocol) && + uriInformation.hostname.endsWith(".onion");

let retval = { cAName: "",

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/df421101...