commit 5032b8897b45229f62307f80b9dce401e4f734f7 Author: Mike Perry mikeperry-git@fscked.org Date: Sat Aug 27 15:25:00 2011 -0700
Bug #3748: Disable 3rd party HTTP auth
We do this by removing the Authenticate header. Users will now experience dialogs informing them of incorrect authenticate attempts in the event of an attack/attempted use of 3rd party auth. See #3837 for the bug to improve the dialog. --- src/chrome/content/stanford-safecache.js | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/chrome/content/stanford-safecache.js b/src/chrome/content/stanford-safecache.js index 0b08bda..4dd388d 100644 --- a/src/chrome/content/stanford-safecache.js +++ b/src/chrome/content/stanford-safecache.js @@ -140,6 +140,18 @@ SSC_RequestListener.prototype = " content loaded by " + parent_host); this.setCacheKey(channel, parent_host); referrer = parent_host; + try { + // Disable 3rd party http auth + // FIXME: Hrmm, this is just going to disable auth for 3rd party domains. + // It would be better if we could isolate the auth, but still + // allow it to be transmitted.. But I guess, who still uses http auth anyways? + if (channel.getRequestHeader("Authorization") !== null) { + torbutton_safelog(4, "Removing 3rd party HTTP auth for url: ", channel.URI.spec); + channel.setRequestHeader("Authorization", null, false); + channel.setRequestHeader("Pragma", null, false); + channel.setRequestHeader("Cache-Control", null, false); + } + } catch (e) {} } else { referrer = channel.URI.host; if(!this.readCacheKey(channel.cacheKey)) {