[tbb-bugs] #14085 [Applications/Tor Browser]: HTTP redirects can leak third-party state (cookies, etc) (was: Redefine HTTP redirect responses to match 3rd party context)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 1 05:47:19 UTC 2016 

#14085: HTTP redirects can leak third-party state (cookies, etc)
--------------------------------------+-----------------------------------
 Reporter:  michael                   |          Owner:  tbb-team
     Type:  enhancement               |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #3246                     |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------
Changes (by arthuredelstein):

 * severity:   => Normal


Old description:

> Pending consensus by the TBB team, reimplement all ''HTTP redirect''
> (301, 302, 303, 307, 308) responses in ''3rd party DOM contexts.''
> Rationale of this is to '''support popup and new window''' crossdomain
> cookie conditions as
> [https://bugzilla.mozilla.org/show_bug.cgi?id=565965#c3 as suggested by
> Dan Witte].

New description:

 HTTP double redirects (301, 302, etc.) can result in third-party cookies
 being read without the consent of the user.

 See discussion [https://bugzilla.mozilla.org/show_bug.cgi?id=565965#c3 by
 Dan Witte].

--

Comment:

 Here's a summary of how double-redirects can violate the ban on third-
 party cookies:
 1. Visit A.com in Tab 1:
   * A.com sets a cookie ("data=A1") with A.com first party
 2. Visit B.com in Tab 2:
   * B.com/ redirects to A.com/trac?from=B.com
   * A.com receives the previously-set cookie "data=A1" in GET request
   * A.com/trac?from=B.com redirects to B.com/home?data=A1

 Such a double redirect is invisible to the user, because A.com is never
 visible in Tab 2's URL bar. But now A.com has linked the activities in Tab
 1 and Tab 2.

 I observed an example of this behavior while using Tor Browser.
 (google.com was A.com, and persona.org was B.com)

 So I think the idea of considering redirects to have third-party rights is
 a good idea. HTTP request headers that would seem to leak state include
 * `Cookie`
 * `Authorization`
 Also OCSP requests might be revealing. What else do we need to worry
 about?

 (I edited the title and description to try to clarify what this ticket is
 about.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14085#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list