[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 9 15:42:30 UTC 2015

#9623: Referers being sent from hidden service websites
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510R
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |

Comment (by zyan):

 Replying to [comment:34 gk]:
 > Replying to [comment:30 zyan]:
 > > Addressed comments in https://github.com/diracdeltas/torbutton/pull/1
 and updated to using mozIThirdPartyUtil instead of rolling our own same-
 origin check.
 > This looks better, thanks. Some smaller things:
 > 1) Could you avoid doing
 > {{{
 >    var ios = Components.classes["@mozilla.org/network/io-service;1"].
 >      getService(Components.interfaces.nsIIOService);
 > }}}
 > everytime calling `onModifyRequest()`? Assigning it once in the
 constructor (as done with `thirdPartyUtil`) should be enough.
 > 2) Could you remove the boilerplate for Firefox 3.6 at the end of

 good catches, fixed.

 > 3) Could you squash your commits?
 > One thing I am wondering is whether it would be better to set the
 Referrer to a URL containing the domain the user is requesting instead of
 setting it to `http://example.com`. There might be cases where this makes
 the Referer spoofing non-obvious which seems superior to just using a
 semi-random URL.

 I think this makes sense, so I did it.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:35>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list