[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 3 13:20:06 UTC 2015

#9623: Referers being sent from hidden service websites
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
Changes (by mikeperry):

 * keywords:  tbb-torbutton => tbb-torbutton, tbb-security,


 I agree that .onion domains should not send cross-origin referrers by
 default. I could also see the High setting disabling them entirely, or
 applying the same origin restriction from the refSpoof component.

 It looks like Yan's patch works for the .onion case only. We can take
 that, if it still works. We can also alter it to have a separate pref to
 apply to everything for the High setting easily enough. I am fine with

 In both cases, we will need to file another tbb-torbotton-conversion
 ticket to convert this to a direct Firefox patch, but this need not block
 deploying this now.

 Sorry for missing Yan's initial review request.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list