[tor-bugs] #6308 [Torbutton]: 3rd party HTTP auth removal is triggered whenever firefox attempts to fetch a nonexistant favicon.ico

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Jul 5 16:40:13 UTC 2012


#6308: 3rd party HTTP auth removal is triggered whenever firefox attempts to fetch
a nonexistant favicon.ico
-----------------------------------------------------+----------------------
 Reporter:  cryptobear                               |          Owner:                  
     Type:  defect                                   |         Status:  new             
 Priority:  normal                                   |      Milestone:                  
Component:  Torbutton                                |        Version:  Torbutton: 1.4.4
 Keywords:  favicon, torbutton, 3rd party http auth  |         Parent:                  
   Points:                                           |   Actualpoints:                  
-----------------------------------------------------+----------------------
 * Torbutton about says 1.4.6 but that's not available in the version
 dropdown

 When browsing within a single website with no 3rd party content that uses
 HTTP authentication (in this case an simple onion site), the HTTP
 authentication is periodically invalidated and one is forced to re-
 authenticate. Setting the torbutton logging level to 3 the invalidation of
 the HTTP auth seems correspond to entries like the one below:

 Torbutton INFO: SSC: Parent browser for http://example.onion/favicon.ico
 Torbutton INFO: SSC: Segmenting http://example.onion/favicon.ico content
 loaded by browser
 Torbutton NOTE: Removing 3rd party HTTP auth for url:
 http://example.onion/favicon.ico

 The site in question does not have a favicon nor any header code
 indicating one should be fetched, and when Firefox makes a request for one
 automatically, it seems to invalidate the HTTP auth.

 Since this is an automatic behavior of Firefox, and at no point is a
 request for content from a 3rd party being made Torbutton should handle
 this case correctly (ie. not invalidate the HTTP auth session).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6308>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list