Allow 'secure' cookies when set by .onion site
Categories
(Core :: Networking: Cookies, task, P5)
Tracking
()
Tracking | Status | |
---|---|---|
firefox77 | --- | fixed |
People
(Reporter: acat, Assigned: acat)
Details
(Whiteboard: [necko-triaged] [tor 21537] )
Attachments
(1 file)
In Tor Browser we maintain a patch to allow secure cookies when set by a .onion site. Thanks to bug 1618113 most of the patch is now upstreamed, given that IsPotentiallyTrustworthyOrigin
returns true
for .onion
hosts, when pref dom.securecontext.whitelist_onions=true
.
There is one missing piece that allows a trustworthy origin
to modify a previously secure cookie and make it non-secure. Bug 1618113 did not modify that for localhost
, but we allow it in our patch. The code at the time of writing this is in https://searchfox.org/mozilla-central/rev/b8fbb6ead517720daf0b0211115f407b4b951c74/netwerk/cookie/CookieStorage.cpp#412. Currently it just checks for https
, but I think if the definition of "secure" protocol used in bug 1618113 also applies here, it should be ok to also use IsPotentiallyTrustworthyOrigin
for this check.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Allow secure cookies when set by a .onion site if
the pref dom.securecontext.whitelist_onions is set to true.
Most of the needed parts were introduced in bug 1618113, due
to the fact that the IsPotentiallyTrustworthyOrigin()
check
also takes into account onion hostnames.
This adds one missing check, allowing a trustworthy origin
(e.g. onion site) to replace a secure cookie by an insecure
one, as well as adding some tests for the .onion case.
Updated•4 years ago
|
Updated•4 years ago
|
Pushed by dluca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ecebb59572e0 Allow 'secure' cookies when set by .onion site r=baku
Comment 3•4 years ago
|
||
bugherder |
Description
•