#21537: Consider ignoring secure cookies for .onion addresses
 Reporter:  micah                                |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability,                       |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by arthuredelstein):

 Replying to [comment:13 gk]:
 > Replying to [comment:12 pospeselr]:
 > > Change looks good, only thing I'd suggest is moving the block at 3340
 a couple lines up before the Telemetry::Accumulate call ( since the enum
 seems to be a question of cookie security, rather than http(s) ).
 > >
 > > I also verified the hostURI that's passed in is already normalized, so
 we don't have to worry about case insensitive string compare.
 > Thanks. I added the suggested change in `bug_21537_v3`
 browser.git/log/?h=bug_21537_v3). Let me know if that still looks good.

 The code looks good to me, but I would suggest factoring out the repeated
 security checks by creating a static function like:
 `bool IsSecureHost(nsIURI *aHostURI)`
 that returns true for both https and .onion URIs.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21537#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to