[tor-bugs] #6458 [Firefox Patch Issues]: Disable HSTS for third party content on non-HSTS domains
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Jul 24 02:10:08 UTC 2012
#6458: Disable HSTS for third party content on non-HSTS domains
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
With proper cache+identifier siloing to url bar origin, it is no longer a
security issue to allow 3rd party content from HSTS urls to get loaded
from non-HSTS sites. Therefore, we can disable HSTS enforcement for third
parties in this case.
This will eliminate a super-cookie vector that HSTS creates (registering
32 domains, using HSTS for each domain as a bit).
This is going to be a painful patch to write, though...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6458>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list