Closed Bug 1633015 Opened 4 years ago Closed 4 years ago

Allow 'secure' cookies when set by .onion site

Categories

(Core :: Networking: Cookies, task, P5)

task

Tracking

()

RESOLVED FIXED
mozilla77
Tracking Status
firefox77 --- fixed

People

(Reporter: acat, Assigned: acat)

Details

(Whiteboard: [necko-triaged] [tor 21537] )

Attachments

(1 file)

In Tor Browser we maintain a patch to allow secure cookies when set by a .onion site. Thanks to bug 1618113 most of the patch is now upstreamed, given that IsPotentiallyTrustworthyOrigin returns true for .onion hosts, when pref dom.securecontext.whitelist_onions=true.

There is one missing piece that allows a trustworthy origin to modify a previously secure cookie and make it non-secure. Bug 1618113 did not modify that for localhost, but we allow it in our patch. The code at the time of writing this is in https://searchfox.org/mozilla-central/rev/b8fbb6ead517720daf0b0211115f407b4b951c74/netwerk/cookie/CookieStorage.cpp#412. Currently it just checks for https, but I think if the definition of "secure" protocol used in bug 1618113 also applies here, it should be ok to also use IsPotentiallyTrustworthyOrigin for this check.

Whiteboard: [tor 21537]

Allow secure cookies when set by a .onion site if
the pref dom.securecontext.whitelist_onions is set to true.
Most of the needed parts were introduced in bug 1618113, due
to the fact that the IsPotentiallyTrustworthyOrigin() check
also takes into account onion hostnames.

This adds one missing check, allowing a trustworthy origin
(e.g. onion site) to replace a secure cookie by an insecure
one, as well as adding some tests for the .onion case.

Assignee: nobody → acat
Status: NEW → ASSIGNED
Priority: -- → P5
Whiteboard: [tor 21537] → [necko-triaged] [tor 21537]
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ecebb59572e0
Allow 'secure' cookies when set by .onion site r=baku
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: