[tor-bugs] #3809 [TorBrowserButton]: Hide referer spoofing option
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Aug 25 22:35:26 UTC 2011
#3809: Hide referer spoofing option
----------------------------------------+-----------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton | Version:
Keywords: MikePerryIteration20110828 | Parent:
Points: 3 | Actualpoints:
----------------------------------------+-----------------------------------
Referer spoofing breaks browser navigation due to an interaction with our
content policy. We could alter the content policy, but that would make the
toggle model even less safe, because of Firefox API limitations. Basically
the fix would increase the probability that some requests might leak
through from one torbutton state to another.
I am kind of torn. On the one hand, since we're don't really support the
toggle model, it might be fine to make it (more) insecure. However, I
don't really think the referrer blocking feature is very useful, and I am
planning on removing it in the next major release.. So to break it for
this reason seems kind of silly.
Hence, let's hide the referer spoofing option, demoting it to an
about:config pref only, to prevent people from breaking their TBBs with
it.
We will remove the pref entirely in a future release.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3809>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list