[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 9 14:08:30 UTC 2015


#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510R
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 Replying to [comment:30 zyan]:
 > Addressed comments in https://github.com/diracdeltas/torbutton/pull/1
 and updated to using mozIThirdPartyUtil instead of rolling our own same-
 origin check.

 This looks better, thanks. Some smaller things:

 1) Could you avoid doing
 {{{
    var ios = Components.classes["@mozilla.org/network/io-service;1"].
      getService(Components.interfaces.nsIIOService);
 }}}
 everytime calling `onModifyRequest()`? Assigning it once in the
 constructor (as done with `thirdPartyUtil`) should be enough.

 2) Could you remove the boilerplate for Firefox 3.6 at the end of
 torRefSpoofer.js?

 3) Could you squash your commits?

 One thing I am wondering is whether it would be better to set the Referrer
 to a URL containing the domain the user is requesting instead of setting
 it to `http://example.com`. There might be cases where this makes the
 Referer spoofing non-obvious which seems superior to just using a semi-
 random URL.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list