[tor-bugs] #3748 [TorBrowserButton]: Isolate HTTP Auth to top-level domain

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Aug 26 21:57:07 UTC 2011

#3748: Isolate HTTP Auth to top-level domain
 Reporter:  mikeperry         |          Owner:  mikeperry                    
     Type:  defect            |         Status:  new                          
 Priority:  major             |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  TorBrowserButton  |        Version:                               
 Keywords:                    |         Parent:                               
   Points:                    |   Actualpoints:                               

Comment(by mikeperry):

 Georg - I noticed you strip off the WWW-Authenticate header from 3rd party
 responses. Does that serve any security purpose, or does it exist just to
 prevent 3rd parties from being able to open auth prompts?

 I am thinking that we might want the auth prompts to show up. They would
 be evidence of a tracking attack using this mechanism. If the adversary
 doesn't get the Authenticate header they want and then sets WWW-
 Authenticate, the browser would effectively be alerting the user that the
 site is trying to track them.

 It might also help users diagnose issues in the event that this feature
 breaks some other site that requires 3rd party auth.

 What do you think?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list