[tor-bugs] #3739 [TorBrowserButton]: SafeCache policy likely fails for https->http CORS (and reverse)
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Aug 19 17:33:13 UTC 2011
#3739: SafeCache policy likely fails for https->http CORS (and reverse)
----------------------------------------+-----------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton | Version:
Keywords: MikePerryIteration20110828 | Parent:
Points: 2 | Actualpoints:
----------------------------------------+-----------------------------------
Comment(by gk):
I have not had time to comment on ticket 3665 but I would not recommend
you to use the Referer as a fallback if using notificationCallbacks is
futile. There are scenarios where that does not help either (I encountered
one during my tests of our preliminary defense against HTTP Auth tracking
that uses as well notificationCallbacks to get the associated window of a
request/response and if none is available (or getting the window out of it
failed) I tried to get the Referer. I got one but that did not trigger the
separation logic...). Rather, I would suggest using getOriginatingURI()
available via nsICookiePermission and implemented by
@nozilla.org/cookie/permission;1. That solved the problems I had and will
probably not affect https -> http transitions. Maybe that's the silver
bullet we are looking for here. Or it may open new corner cases...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3739#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list