[tor-bugs] #7740 [Flashproxy]: flashproxy badge works just like a web bug

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 19 04:35:19 UTC 2012 

#7740: flashproxy badge works just like a web bug
------------------------+---------------------------------------------------
 Reporter:  arma        |          Owner:  dcf
     Type:  defect      |         Status:  new
 Priority:  normal      |      Milestone:     
Component:  Flashproxy  |        Version:     
 Keywords:              |         Parent:     
   Points:              |   Actualpoints:     
------------------------+---------------------------------------------------

Comment(by dcf):

 There are two different entities contacted when you load the iframe, and
 they know different things:

 The web server hosting `flashproxy.js` (currently crypto.stanford.edu)
 gets to see the referrer, but only gets contacted once a day while the
 proxy is operating. (It would be only once when the proxy starts up, but I
 have a meta-refresh set for once a day so that proxies can update
 themselves.)

 The facilitator knows while the proxy is operating, but it does not see
 the referrer (as far as I can tell). That is, it doesn't get to see the
 URL of the page containing the iframe; the referrer it sees is
 crypto.stanford.edu/flashproxy/embed.html. Same with the WebSocket
 connections that are made to the relay and the client: they don't have a
 `Referrer` but they do have an `Origin` of crypto.stanford.edu.

 > Oh, iframes send a referrer? (The website in an iframe knows that it's
 iframed in website xyz?)
 To the best of my knowledge, this is not the case.

 So from the point of view of the facilitator, the badge is more innocuous
 than a web bug, because it doesn't see the referrer. From the point of
 view of the hosting web server, it does work as a web bug.

 Self-hosting the badge gets rid of the third-party server. (As you mention
 it also has disadvantages like not being able to easily update the proxy
 source code.)

 There is something called `rel=noreferrer` that purports to prevent the
 browser from sending a referrer. It appears to work for links; I don't
 know if it works for other things like `img` and `iframe`.

 There may be other ideas, I'm brainstorming.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7740#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list