[tor-bugs] #2148 [Torbutton]: 1.3.x: RefSpoofer fails on 5 test cases out of 12.

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Feb 15 12:04:26 UTC 2011


#2148: 1.3.x: RefSpoofer fails on 5 test cases out of 12.
---------------------------------+------------------------------------------
  Reporter:  T(A)ILS developers  |              Owner:  koryk         
      Type:  defect              |             Status:  assigned      
  Priority:  critical            |          Milestone:  Torbutton: 1.3
 Component:  Torbutton           |            Version:  Torbutton: 1.3
  Keywords:  refspoofer          |             Parent:                
    Points:  6                   |   Actualpointsdone:                
Pointsdone:                      |       Actualpoints:                
---------------------------------+------------------------------------------

Comment(by T(A)ILS developers):

 Hi Mike,

 When I reported the bug I was probably using an older version of Firefox,
 now I just tried again with version shipped in Debian squeeze, 3.5.16-4
 and torbutton 1.3.1-alpha and as far as B column is concerned I get the
 same results.

 In case B3, going from http://domain.tld/something.html to
 http://www.domain.tld/ I get :

 domain.tld:80 xx.xx.xx.xx - - [15/Feb/2011:12:19:33 +0100] "GET /
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
 rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"

 So no referrer are sent when the spec says it should send it. And I can
 agree with that.

 In case B2, going from http://domain.tld/something.html to
 http//host.domain.tld/index.html I get :

 host.domain.tld:80 xx.xx.xx.xx - - [15/Feb/2011:12:22:32 +0100] "GET
 /index.html HTTP/1.1" 304 - "http://host.domain.tld" "Mozilla/5.0
 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401
 Firefox/3.6.3"

 So a referrer from the *destination* host.domain.tld is sent, which is
 pretty weird indeed.

 The spec is unclear but in my opinion it should not send any referrer in
 this case. I understand the choice made in the spec for base B3 since we
 can usually assume that domain.tld and www.domain.tld are run by the same
 entity. But in the more general case of different subdomains we should
 assume that it is not the case: they can be run by different entities, the
 DNS can point to different IPs, the admins and owners of the CMSes can be
 different. Thinking about two different wordpress.com blogs for example
 one.wordpress.com and two.wordpress.com, I might not want the admin of
 two.wordpress know that I'm coming from one.wordpress.com to visit her
 blog.

 I would be glad to help you more debugging this. What extra information
 can I send you ?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2148#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list