-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.onion request in regular window should also avoid DNS leakage #14261
Comments
For reference, this is mentioned in RFC7686. Here's Firefox test case for it: https://searchfox.org/mozilla-central/source/netwerk/test/unit/test_dns_onion.js |
Verification passed on
Verified the test plan from https://github.com/brave/brave-core/pull/8040#issue-578027432Auto redirect off
Auto redirect on Confirmed visiting Verified the test plan from https://github.com/brave/brave-core/pull/7713#issue-562159331
Verified passed with
Reproduced issue using STR from description with Verified test plan from brave/brave-core#8040 using Auto Redirect OffConfirmed that visiting Clicked on the "Open in Tor" button in above window. Confirmed Went to tab from step 2 and entered Auto Redirect OnConfirmed visiting Verification passed on
Verified test plan from brave/brave-core#8040 Reproduced the issue on 1.20.108 Auto Redirect OffVerified an error page is shown and that the .onion didn't result in a DNS lookup. Auto Redirect OnConfirmed visiting Verified
Auto redirect off
Auto redirect on
From brave/brave-core#7713: Verified we only have single Tor tabs, and that we didn't close the |
#13527 fixed the issue of .onion leaking DNS in Tor windows, but the issue should also be fixed in regular windows because users may accidentally enter a .onion in a regular window instead of a Tor window. this happens regardless of whether the 'Automatically redirect .onion' option is selected.
STR:
expected behavior: brave should block DNS if it sees a top-level navigation to a .onion URL both when the 'Automatically redirect .onion' is on and when it is off.
The text was updated successfully, but these errors were encountered: