[tor-bugs] #3508 [TorBrowserButton]: Apply new SafeCache patch
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Jul 6 00:12:39 UTC 2011
#3508: Apply new SafeCache patch
---------------------------------+------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: closed
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Resolution: fixed | Keywords: MikePerryIterationFires20110630
Parent: | Points: 3
Actualpoints: 3 |
---------------------------------+------------------------------------------
Changes (by mikeperry):
* status: new => closed
* points: => 3
* resolution: => fixed
* actualpoints: => 3
Comment:
This ended up being a little tricky. We had to add some new prefs, remove
the ones there, and change the default behavior a bit.
The result is that the cache restrictions are no longer tied to the cookie
policy. 3rd party elements are given a cache key that binds them to the
url bar domain. The original code by Collin Jackson binded elements to the
domain in the referer, but this ended up producing some odd properties
that seem non-ideal and yield no real security gain against cooperating
adversaries.
As a result, Collin's test cases on the SafeCache test site won't function
as expected. The test to verify functionality is to ensure that you get a
different random ID whenver you actually load one of those iframes as
either a top-level page or from another origin. This test works with
1.4.0.
The cookie restrictions are disabled. We need an implementation that
applies to JS cookies as well for us to bother, I think.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3508#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list