[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 3 21:25:50 UTC 2015

#9623: Referers being sent from hidden service websites
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
Changes (by zyan):

 * status:  needs_revision => needs_review


 Replying to [comment:22 mikeperry]:
 > I agree that .onion domains should not send cross-origin referrers by
 default. I could also see the High setting disabling them entirely, or
 applying the same origin restriction from the refSpoof component.
 > It looks like Yan's patch works for the .onion case only. We can take
 that, if it still works. We can also alter it to have a separate pref to
 apply to everything for the High setting easily enough. I am fine with
 > In both cases, we will need to file another tbb-torbotton-conversion
 ticket to convert this to a direct Firefox patch, but this need not block
 deploying this now.

 i have now rebased https://github.com/diracdeltas/torbutton/pull/1 and it
 seems to be working on the few .onions i've tested.
 mikeperry/gk please review. thanks.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list