From 7d61e899b45668e967731a4372d80161f7d36870 Mon Sep 17 00:00:00 2001
From: Georg Koppen <gk@torproject.org>
Date: Thu, 3 Aug 2017 09:07:37 +0000
Subject: [PATCH] Bug 21321: .onion domains are shown as non-secure

Websites which collect passwords but don't use HTTPS start showing scary
warnings from Firefox 51 onwards (see:
blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
for details).

.onion sites without HTTPS support are affected as well, although their
traffic is encrypted and authenticated. This patch addresses this
shortcoming by making sure .onion sites are treated as potentially
trustworthy origins.

The secure context specification
(https://w3c.github.io/webappsec-secure-contexts/) is pretty much focused
on tying security and trustworthiness to the protocol over which domains
are accessed. However, it is not obvious why .onion sites should not be
treated as potentially trustworthy given:

"A potentially trustworthy origin is one which a user agent can
generally trust as delivering data securely.

This algorithms [sic] considers certain hosts, scheme, and origins as
potentially trustworthy, even though they might not be authenticated and
encrypted in the traditional sense."
(https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy)

We use step 8 in the algorithm to establish trustworthiness of .onion
sites by whitelisting them given the encrypted and authenticated nature
of their traffic.
---
 browser/app/profile/000-tor-browser.js    | 3 +++
 dom/security/nsContentSecurityManager.cpp | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js
index 3bba1e6cad712..32922418b12f0 100644
--- a/browser/app/profile/000-tor-browser.js
+++ b/browser/app/profile/000-tor-browser.js
@@ -356,6 +356,9 @@ pref("security.ssl.errorReporting.enabled", false);
 // in case the download panel got removed from the toolbar.
 pref("browser.download.panel.shown", true);
 
+// Treat .onions as secure
+pref("dom.securecontext.whitelist_onions", true);
+
 #ifdef TOR_BROWSER_VERSION
 #expand pref("torbrowser.version", __TOR_BROWSER_VERSION__);
 #endif
diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp
index c4e1ed8e18a93..c95226b56e913 100644
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -689,6 +689,14 @@ nsContentSecurityManager::IsOriginPotentiallyTrustworthy(nsIPrincipal* aPrincipa
         }
       }
     }
+    // Maybe we have a .onion URL. Treat it as whitelisted as well when
+    // `dom.securecontext.whitelist_onions` is `true`.
+    bool whitelistOnions =
+      Preferences::GetBool("dom.securecontext.whitelist_onions", false);
+    if (whitelistOnions && StringEndsWith(host, NS_LITERAL_CSTRING(".onion"))) {
+      *aIsTrustWorthy = true;
+      return NS_OK;
+    }
   }
 
   return NS_OK;
-- 
GitLab