[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Oct 3 13:20:06 UTC 2015
#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: needs_revision
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-torbutton, tbb-security,
Browser | TorBrowserTeam201510
Resolution: | Parent ID:
Actual Points: | Sponsor:
Points: |
-------------------------+-------------------------------------------------
Changes (by mikeperry):
* keywords: tbb-torbutton => tbb-torbutton, tbb-security,
TorBrowserTeam201510
Comment:
I agree that .onion domains should not send cross-origin referrers by
default. I could also see the High setting disabling them entirely, or
applying the same origin restriction from the refSpoof component.
It looks like Yan's patch works for the .onion case only. We can take
that, if it still works. We can also alter it to have a separate pref to
apply to everything for the High setting easily enough. I am fine with
both.
In both cases, we will need to file another tbb-torbotton-conversion
ticket to convert this to a direct Firefox patch, but this need not block
deploying this now.
Sorry for missing Yan's initial review request.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list