[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Apr 17 07:36:00 UTC 2012
#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
------------------------------------------------------+---------------------
Reporter: Drugoy | Owner: pde
Type: defect | Status: new
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: address spoofing, critical vulnerability | Parent:
Points: | Actualpoints:
------------------------------------------------------+---------------------
Comment(by mikeperry):
pde: One reason you might not be able to snag apple.com cookies is that
the cookie origin checks are independent from the document.write origin
checks. However, the ability to spoof a login page from a false https
origin is bad enough to warrant investigation, I think. The default user
behavior for a convincing login is to enter their password, after all.
As far as how to solve this: to avoid wading through both NoScript and the
corresponding XPCOM objects in C++, I motion that we first ask Giorgio if
he has any clues as to what is going on. if Giorgio times out, I think we
should ask Mozilla why normal redirects can't do this attack. Or perhaps
in the reverse order..
In either case, it seems a suspicious enough violation of same-origin
policy to make me feel like we need not be first in line to spend deep IQ
on this problem.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list