[tbb-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 3 16:49:53 UTC 2017 

#21756: HTTP Authentication data is still sent to third parties with ESR 52 based
Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 In the #20680 branch, I dropped our #13900 patch because ESR52 is supposed
 to isolate HTTP Auth by first party. There is an automated test in ESR52
 from https://bugzilla.mozilla.org/1301523. So I think the http://ip-
 check.info site is detecting that the HTTP Auth credentials are being
 saved to the third party, but it isn't testing if these credentials are
 shared by with first party.

 I wrote a manual test and was able to confirm that first-party isolation
 (double keying) is working. Here's the test:

 First visit https://arthuredelstein.net/auth-test.html. It contains an
 iframe located at `torpat.ch/auth`. Username is "username" and password is
 "password". Once credentials are entered at the prompt, you can reload and
 the credentials will be remembered such that no prompt is shown for a
 second time.

 Next visit https://torpat.ch/auth-test.html. It also has an iframe at the
 same location. If double-keying is working correctly, the browser should
 prompt again for username and password even though the third-party domain
 is the same (torpat.ch).

 Test source: https://github.com/arthuredelstein/auth-test

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list