[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 7 02:55:29 UTC 2015


#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510R
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by zyan):

 Replying to [comment:31 teor]:
 > Replying to [comment:28 zyan]:
 > > Will fix. On further thought, maybe just get rid of the pref entirely
 until #17228? I can't think of an immediate use case where one would want
 to enable cross-origin onion referrers.
 >
 > Onion-sites using sub-onions to host (static) content.
 > Or the onion-per-role design that Facebook (and perhaps other sites) use
 (I think it's upload, static, and dynamic).
 >

 I am working with Alec Muffett at Facebook to see if this patch affects
 their use case, since they use a different onion domain as a CDN.

 Note that the patch does NOT affect referrer passage between onions and
 sub-onions. Those are considered the same origin, so the referrer is sent
 as usual.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:33>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list