<div dir="ltr"><div><span style="font-size:12.8px">> I agree HS owners can do this with CSP1.1 right now (or the old <meta></span></div><div><span style="font-size:12.8px">> referrer tags, though i think that was reverted in Firefox?) but it's</span></div><div><span style="font-size:12.8px">> important enough to prevent leaks that I think the client should handle it.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I want to emphasize the importance of these measures to HS owners because not</span></div><div><span style="font-size:12.8px">everyone using Tor uses it through TBB/Torbutton. Any VPN-based Tor client, or a</span></div><div><span style="font-size:12.8px">vanilla browser will still gladly leak Referrer headers.</span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div style="font-size:12.8px"><span style="font-size:12.8px">Conrad</span></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 6, 2015 at 7:57 PM, yan <span dir="ltr"><<a href="mailto:yan@torproject.org" target="_blank">yan@torproject.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hey Tom and co,<br>
<br>
I am the person who wrote the fix in a hurry 14 months ago (as a stop-gap before FF38 with all its referer goodness was released). Glad it's finally being reviewed!<br>
<br>
Here is the patch: <a href="https://github.com/diracdeltas/torbutton/pull/1/files" rel="noreferrer" target="_blank">https://github.com/diracdeltas/torbutton/pull/1/files</a><br>
Here is the ticket: <a href="https://trac.torproject.org/projects/tor/ticket/9623" rel="noreferrer" target="_blank">https://trac.torproject.org/projects/tor/ticket/9623</a><br>
<br>
The patch only clears referer on cross-domain requests involving THS's. So referer will be preserved on http(s)://www.facebookcorewwwi.onion to http(s)://cdn.facebookcorewwwi.onion, for instance. Referer will NOT be sent to http(s)://someotheronion.onion or <a href="http://google.com" rel="noreferrer" target="_blank">http://google.com</a>, for instance.<br>
<br>
I agree HS owners can do this with CSP1.1 right now (or the old <meta> referrer tags, though i think that was reverted in Firefox?) but it's important enough to prevent leaks that I think the client should handle it.<br>
<br>
Cheers,<br>
Yan<div class=""><div class="h5"><br>
<br>
On 10/6/15 9:57 PM, Tom Ritter wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
What's the fix in the works? There is a specification being developed<br>
to allow sites to opt to remove referers (or opt to let them leak<br>
*more* information.) <a href="http://www.w3.org/TR/referrer-policy/" rel="noreferrer" target="_blank">http://www.w3.org/TR/referrer-policy/</a><br>
<br>
(If you're wondering why one would want to leak more information, it's<br>
basically to promote HTTPS adoption. One of the things holding back<br>
HTTPS adoption is the lack of Referer on a HTTPS->HTTP link, so by<br>
removing that constraint, the originating origin can move to HTTPS.)<br>
<br>
Firefox supports Referrer Policy as of 36:<br>
<a href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/" rel="noreferrer" target="_blank">https://blog.mozilla.org/security/2015/01/21/meta-referrer/</a> so<br>
arguably HS owners have the ability to fix this themselves for users<br>
on ESR38.<br>
<br>
-tom<br>
<br>
<br>
On 6 October 2015 at 18:15, Tim Wilson-Brown - teor <<a href="mailto:teor2345@gmail.com" target="_blank">teor2345@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi All,<br>
<br>
Currently there’s an information leak in Tor Browser: it sends referrer<br>
headers containing .onion site addresses when the user clicks on a link on<br>
the .onion site.<br>
<br>
There’s a fix in the works, but we were wondering:<br>
Does anyone’s hidden service depend on the referrer header?<br>
The currently favoured fix is to stop sending referrers cross-origin<br>
(between different .onion sites, and between .onion sites and sites on the<br>
internet).<br>
<br>
But this may break sites that are set up with multiple .onion addresses and<br>
use referrers to check that requests are coming from the parent site.<br>
(People sometimes set up different .onion sites to serve different types of<br>
content, such as images.)<br>
<br>
In general, I would discourage people from using referrers in this way,<br>
because they aren’t secure and can be faked.<br>
<br>
But does anyone have a compelling use case for cross-origin referrers, or is<br>
using them at the moment?<br>
We could include a preference if removing them would break too many sites.<br>
<br>
Tim<br>
<br>
Tim Wilson-Brown (teor)<br>
<br>
teor2345 at gmail dot com<br>
PGP 968F094B<br>
<br>
teor at blah dot im<br>
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F<br>
<br>
<br>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org" target="_blank">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
<br>
</blockquote>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org" target="_blank">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
<br>
</blockquote>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org" target="_blank">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
</div></div></blockquote></div><br></div></div>