Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] block mixed content on .onion sites #25939

Closed
diracdeltas opened this issue Oct 12, 2022 · 4 comments · Fixed by brave/brave-core#15436
Closed

[hackerone] block mixed content on .onion sites #25939

diracdeltas opened this issue Oct 12, 2022 · 4 comments · Fixed by brave/brave-core#15436
Labels
feature/tor OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Milestone
1.47.x - Release

Comments

@diracdeltas
Copy link
Member

fixed by brave/brave-core#15436

https://hackerone.com/bugs?subject=brave&report_id=1727949&view=open&substates%5B%5D=new&substates%5B%5D=triaged&substates%5B%5D=needs-more-info&reported_to_team=&text_query=&program_states%5B%5D=2&program_states%5B%5D=3&program_states%5B%5D=4&program_states%5B%5D=5&sort_type=latest_activity&sort_direction=descending&limit=25&page=1

credit: xiaoyinl
@kdenhartog kdenhartog mentioned this issue Oct 12, 2022
Merged
25 tasks
@rebron rebron added the priority/P2 A bad problem. We might uplift this to the next planned release. label Oct 14, 2022
@brave-builds brave-builds added this to the 1.47.x - Nightly milestone Nov 10, 2022
@kjozwiak
Copy link
Member

kjozwiak commented Dec 6, 2022
edited
Loading

@LaurenWags looks like we have a few cases that QA can use outlined via brave/brave-core#15436 (comment) & brave/brave-core#15436 (comment). @diracdeltas would the above be sufficient enough re: QA verification? If so, we can remove the QA/Blocked label.

@kjozwiak
Copy link
Member

Removing QA/Blocked after speaking with @diracdeltas. As per #25939 (comment), the above should be sufficient enough for verification.

@MadhaviSeelam
Copy link

MadhaviSeelam commented Dec 13, 2022
edited by btlechowski
Loading

Verification PASSED using

Brave | 1.47.126 Chromium: 108.0.5359.99 (Official Build) beta (64-bit)
-- | --
Revision | 410951fc34bb4b2cbf182231f9f779efaafaf682-refs/branch-heads/5359_71@{#9}
OS | Windows 11 Version 21H2 (Build 22000.1219)

Case 1: PASSED

  1. Install 1.47.126
  2. launch Brave
  3. click hamburger menu >>New Private window with Tor
  4. Wait until Tor connected successfully message
  5. visit http://xao2lxsmia2edq2n5zxg6uahx6xox2t7bfjw6b5vdzsxi7ezmqob6qid.onion/
  6. open devtools and enter fetch("https://www.example.com") in the console
  7. click on Network
  8. close existing tab and open a new-tab
  9. repeat step 5-7with fetch("http://www.example.com")

Confirmed https://www.example.com/ is not blocked.

Confirmed http://www.example.com is blocked with a message blocked:mixed-content in the Network

step 3 step 6 result step 8 result
image image image image image

Case 2: PASSED

  1. visit https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/index.html in a new tab
  2. open devtools and enter fetch("example.com") in the console
  3. click on Network

Confirmed www.example.com is blocked with 404 in the Network

ex1 ex2 ex3
image image image

Case 3: PASSED

  • visit https://mixed.badssl.com/ in a new-tab in Tor window - PASSED
    • confirmed it shows warning messages in the console about an insecure resource being requested (but was upgraded)
      • Mixed Content: The page at 'https://mixed.badssl.com/' was loaded over HTTPS, but requested an insecure element 'http://mixed.badssl.com/image.jpg'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
image image
  • visit https://mixed-favicon.badssl.com/ in a new-tab - PASSED
    • confirmed it shows error message in the console about favicon being blocked
      • Mixed Content: The page at 'https://mixed-favicon.badssl.com/' was loaded over HTTPS, but requested an insecure favicon. 'http://mixed-favicon.badssl.com/favicon.ico'. This request has been blocked; the content must be served over HTTPS.
image image image
  • visit https://very.badssl.com/ in a new-tab - PASSED
    • confirmed the page is shown both warnings and errors in the console
image

Verification passed on

Brave 1.47.132 Chromium: 108.0.5359.128 (Official Build) beta (64-bit)
Revision 1cd27afdb8e5d057070c0961e04c490d2aca1aa0-refs/branch-heads/5359@{#1185}
OS Ubuntu 18.04 LTS

Case 1: PASSED

  1. Install 1.47.x
  2. launch Brave
  3. click hamburger menu >>New Private window with Tor
  4. Wait until Tor connected successfully message
  5. visit http://xao2lxsmia2edq2n5zxg6uahx6xox2t7bfjw6b5vdzsxi7ezmqob6qid.onion/
  6. open devtools and enter fetch("https://www.example.com") in the console
  7. click on Network
  8. close existing tab and open a new-tab
  9. repeat step 5-7with fetch("http://www.example.com")

Confirmed https://www.example.com/ is blocked due CORS policy

Confirmed http://www.example.com is blocked with a message blocked:mixed-content in the Network

step 3 step 6 result step 8 result
image image image image image

Case 2: PASSED

  1. visit https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/index.html in a new tab
  2. open devtools and enter fetch("example.com") in the console
  3. click on Network

Confirmed www.example.com is blocked with 404 in the Network

image
image

Case 3: PASSED

  • visit https://mixed.badssl.com/ in a new-tab in Tor window - PASSED
    • confirmed it shows warning messages in the console about an insecure resource being requested (but was upgraded)
      • Mixed Content: The page at 'https://mixed.badssl.com/' was loaded over HTTPS, but requested an insecure element 'http://mixed.badssl.com/image.jpg'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html

image

image

  • visit https://mixed-favicon.badssl.com/ in a new-tab - PASSED
    • confirmed it shows error message in the console about favicon being blocked
      • Mixed Content: The page at 'https://mixed-favicon.badssl.com/' was loaded over HTTPS, but requested an insecure favicon. 'http://mixed-favicon.badssl.com/favicon.ico'. This request has been blocked; the content must be served over HTTPS.

image

image

image

  • visit https://very.badssl.com/ in a new-tab - PASSED
    • confirmed the page is shown both warnings and errors in the console

image

@stephendonner
Copy link

stephendonner commented Dec 20, 2022
edited
Loading

Verification PASSED using

Brave 1.47.135 Chromium: 108.0.5359.128 (Official Build) beta (x86_64)
Revision 1cd27afdb8e5d057070c0961e04c490d2aca1aa0-refs/branch-heads/5359@{#1185}
OS macOS Version 11.7.2 (Build 20G1020)

Case 1: PASSED

  1. install 1.47.135
  2. launched Brave
  3. clicked "hamburger" menu -> New Private Window with Tor
  4. waited until Tor connected successfully message
  5. visited http://xao2lxsmia2edq2n5zxg6uahx6xox2t7bfjw6b5vdzsxi7ezmqob6qid.onion/
  6. opened Developer Tools and entered fetch("https://www.example.com") in the console
  7. clicked on the Network panel
  8. closed existing tab and open a new-tab
  9. repeated steps 5-7 with fetch("http://www.example.com")

Confirmed https://www.example.com/ is blocked due to CORS policy
Confirmed http://www.example.com is blocked with a message blocked:mixed-content in the Network panel

step 4 step 6 result step 9 result
Screen Shot 2022-12-19 at 10 59 50 PM Screen Shot 2022-12-19 at 11 02 43 PM Screen Shot 2022-12-19 at 11 17 15 PM Screen Shot 2022-12-19 at 11 07 29 PM Screen Shot 2022-12-19 at 11 09 50 PM

Case 2: PASSED

  1. visited https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/index.html in a new tab
  2. opened Developer Tools and entered fetch("example.com") in the Console panel
  3. clicked on the Network panel

Confirmed www.example.com is blocked with 404 in the Network

Screen Shot 2022-12-19 at 11 24 11 PM

Case 3: PASSED

  • loaded https://mixed.badssl.com/ in a new Tor window - PASSED
Screen Shot 2022-12-19 at 11 38 49 PM
  • loaded http://mixed.badssl.com/image.jpg in a new Tor window - PASSED
Screen Shot 2022-12-19 at 11 43 50 PM
  • loaded https://mixed-favicon.badssl.com/ in a new Tor window - PASSED
Screen Shot 2022-12-19 at 11 46 04 PM
  • loaded https://mixed-form.badssl.com/ in a new Tor window - PASSED
Screen Shot 2022-12-19 at 11 48 07 PM
  • loaded https://mixed-script.badssl.com/ in a new Tor window - PASSED
Screen Shot 2022-12-19 at 11 49 20 PM
  • loaded https://very.badssl.com/ in a new Tor window - PASSED
Screen Shot 2022-12-19 at 11 51 05 PM

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 20, 2022
@LaurenWags LaurenWags mentioned this issue Jan 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/tor OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Projects
None yet
Milestone
1.47.x - Release
Development

Successfully merging a pull request may close this issue.

Added mixed content check for *.onion origins. brave/brave-core
8 participants
@stephendonner @diracdeltas @kjozwiak @rebron @LaurenWags @btlechowski @brave-builds @MadhaviSeelam