#21323: Activate mixed content blocking -------------------------------------------------+------------------------- Reporter: arthuredelstein | Owner: tbb- | team Type: defect | Status: closed Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: fixed Keywords: TorBrowserTeam201705R, | Actual Points: GeorgKoppen201705 | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by gk):
* status: needs_information => closed * resolution: => fixed Comment: Replying to [comment:20 gk]: > Replying to [comment:18 legind]: > > This is another issue entirely, partially mitigated by `upgrade- insecure-requests`, see https://developer.mozilla.org/en- US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure- requests. > > No, it is not. See: https://bugzilla.mozilla.org/show_bug.cgi?id=878890#c3. If the content policy (which Mixed Content Blocking (MCB) relies on) would have been called after all the redirects would have taken place we would not have this discussion now. :) But as I said above, while Mozilla did not fix the underlying problem they solved it differently for the MCB case. Actually, I have not checked whether it can still be the case that resources loaded over HTTP that would have been rewritten by an HTTPS- Everywhere rule (but are not due to MCB) would still be blocked by MCB before that could happen. If so, then the bug is still open for a good reason (and our #13033) as well. What I just meant was that redirects are taken into account now, so that the HTTPS -> HTTP downgrade issue is not a problem anymore. > Alright, after going over all the arguments I think it is okay for us to activate mixed content blocking. I won't do that by setting the pref to `true` as Arthur did but just by removing that entry in our `000-tor- browser.js`, which means we are using the default Firefox provides (which is enabling the mixed content blocker) from now on. This is done with commit c1a5e1abf6ee05b0b1d3b1462b3c9e1c180b153e and 29b34b444229fd09fcf7741a206230385e843fde on `tor-browser-52.1.0esr-7.0-2` and `tor-browser-52.1.1esr-7.0-1`. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21323#comment:21> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs