[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Oct 3 21:25:50 UTC 2015
#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-torbutton, tbb-security,
Browser | TorBrowserTeam201510
Resolution: | Parent ID:
Actual Points: | Sponsor:
Points: |
-------------------------+-------------------------------------------------
Changes (by zyan):
* status: needs_revision => needs_review
Comment:
Replying to [comment:22 mikeperry]:
> I agree that .onion domains should not send cross-origin referrers by
default. I could also see the High setting disabling them entirely, or
applying the same origin restriction from the refSpoof component.
>
> It looks like Yan's patch works for the .onion case only. We can take
that, if it still works. We can also alter it to have a separate pref to
apply to everything for the High setting easily enough. I am fine with
both.
>
> In both cases, we will need to file another tbb-torbotton-conversion
ticket to convert this to a direct Firefox patch, but this need not block
deploying this now.
>
i have now rebased https://github.com/diracdeltas/torbutton/pull/1 and it
seems to be working on the few .onions i've tested.
mikeperry/gk please review. thanks.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list