Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-17 15:25:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
dd4fb3ba9f
gecko-dev/dom/security
History
Georg Koppen dd4fb3ba9f Bug 1382359: Treat .onion as a secure context 
Websites which collect passwords but don't use HTTPS start showing scary
warnings from Firefox 51 onwards and mixed context blocking has been
available even longer.

.onion sites without HTTPS support are affected as well, although their
traffic is encrypted and authenticated. This patch addresses this
shortcoming by making sure .onion sites are treated as potentially
trustworthy origins.

The secure context specification
(https://w3c.github.io/webappsec-secure-contexts/) is pretty much focused
on tying security and trustworthiness to the protocol over which domains
are accessed. However, it is not obvious why .onion sites should not be
treated as potentially trustworthy given:

"A potentially trustworthy origin is one which a user agent can
generally trust as delivering data securely.

This algorithms [sic] considers certain hosts, scheme, and origins as
potentially trustworthy, even though they might not be authenticated and
encrypted in the traditional sense."
(https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy)

We use step 8 in the algorithm to establish trustworthiness of .onion
sites by whitelisting them given the encrypted and authenticated nature
of their traffic.
2018-03-01 09:44:30 +01:00
..
test Bug 1355166 - Remove remote newtab's dead code. r=ursula 2018-02-28 16:44:00 +02:00
ContentVerifier.cpp Bug 1412125, part 2 - Fix dom/ mode lines. r=qdot 2017-10-26 15:08:41 -07:00
ContentVerifier.h Bug 1412125, part 2 - Fix dom/ mode lines. r=qdot 2017-10-26 15:08:41 -07:00
FramingChecker.cpp Bug 725490 - Change XFO sameorigin to check all ancestors for same origin. r=smaug 2017-11-03 15:37:10 +00:00
FramingChecker.h Bug 1412125, part 2 - Fix dom/ mode lines. r=qdot 2017-10-26 15:08:41 -07:00
moz.build Bug 1407343 Silence multiple classes of warnings for the MinGW build, including not enabling format warnings unless -Wformat is set r=froydnj,glandium 2017-11-16 12:36:33 -06:00
nsContentSecurityManager.cpp Bug 1382359: Treat .onion as a secure context 2018-03-01 09:44:30 +01:00
nsContentSecurityManager.h Bug 1434357: Exempt Web Extensions from insecure redirects to data: URIs. r=kmag,mayhemer 2018-02-18 19:52:52 +01:00
nsCSPContext.cpp Bug 1433958 - Change code that sets nsIURI.userPass to use nsIURIMutator r=mayhemer 2018-02-26 20:43:46 +01:00
nsCSPContext.h Bug 1037335 - Add a pref to enable only within Nightly and Early Beta. r=ckerschb,smaug 2017-11-29 16:55:00 +02:00
nsCSPParser.cpp Bug 1302667 - CSP: Implement 'worker-src'. r=baku,dveditz,mckinley 2017-10-30 18:45:36 +01:00
nsCSPParser.h Bug 1302667 - CSP: Implement 'worker-src'. r=baku,dveditz,mckinley 2017-10-30 18:45:36 +01:00
nsCSPService.cpp Bug 1432358: Make resource URIs subject to CSP. r=gijs 2018-01-25 14:20:31 +01:00
nsCSPService.h
nsCSPUtils.cpp Bug 1418243 - Fix SecurityPolicyViolationEvent.violatedDirective. r=ckerschb 2018-01-16 22:59:00 +02:00
nsCSPUtils.h Bug 1418243 - Fix SecurityPolicyViolationEvent.violatedDirective. r=ckerschb 2018-01-16 22:59:00 +02:00
nsMixedContentBlocker.cpp Bug 1382359: Treat .onion as a secure context 2018-03-01 09:44:30 +01:00
nsMixedContentBlocker.h Bug 1382359: Treat .onion as a secure context 2018-03-01 09:44:30 +01:00
SRICheck.cpp Bug 1399379 - Use memcpy to import/export SRI hashes to the JS bytecode buffer. r=francois 2017-10-03 10:00:00 -04:00
SRICheck.h Bug 1354989 - Avoid pivoting via UTF-16 when loading CSS in the Stylo mode. r=jdm,SimonSapin 2017-08-29 16:01:42 +03:00
SRILogHelper.h
SRIMetadata.cpp Bug 1384233 - Remove SizePrintfMacros.h. r=froydnj 2017-07-26 16:03:57 -04:00
SRIMetadata.h