[tbb-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 7 10:32:59 UTC 2017 

#21756: HTTP Authentication data is still sent to third parties with ESR 52 based
Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,      |  Actual Points:
  tbb-7.0-must-alpha                             |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_review => assigned
 * keywords:  ff52-esr, TorBrowserTeam201704R, tbb-7.0-must-alpha =>
     ff52-esr, TorBrowserTeam201704, tbb-7.0-must-alpha


Comment:

 Replying to [comment:2 arthuredelstein]:
 > In the #20680 branch, I dropped our #13900 patch because ESR52 is
 supposed to isolate HTTP Auth by first party. There is an automated test
 in ESR52 from https://bugzilla.mozilla.org/1301523. So I think the http
 ://ip-check.info site is detecting that the HTTP Auth credentials are
 being saved to the third party, but it isn't testing if these credentials
 are shared by with first party.

 I am not so sure about that. They are saved in Tor Browser 6.5.1 as well
 but still the test passes with it. We are stripping the third party
 headers when we are doing a request. Now, the most likely explanation is
 that the test is showing a red outcome just in case it gets any third
 party headers back. Then this would be indeed no issue for us. What it
 actually does is implementing:

 http://blog.jeremiahgrossman.com/2007/04/tracking-users-without-
 cookies.html

 using things like http://Session:483452791@ipcheck.info/auth.css.php in a
 stylesheet link from ip-check.info to work without JS as well.

 Do you think you could come up with a test for that scenario, too, to be
 extra sure that nothing is sneaking in?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list