[tor-bugs] #3600 [TorBrowserButton]: Prevent redirects from transmitting+storing cookies+identifiers

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Jul 30 18:56:14 UTC 2012


#3600: Prevent redirects from transmitting+storing cookies+identifiers
------------------------------+---------------------------------------------
 Reporter:  mikeperry         |          Owner:  mikeperry                    
     Type:  defect            |         Status:  new                          
 Priority:  major             |      Milestone:  TorBrowserBundle 2.3.x-stable
Component:  TorBrowserButton  |        Version:                               
 Keywords:  tbb-linkability   |         Parent:                               
   Points:                    |   Actualpoints:                               
------------------------------+---------------------------------------------

Comment(by mikeperry):

 Another datapoint: Google adwords will in some cases transparently
 redirect you through www.google.com as a first party with a huge bunch of
 mystery data encoded in the GET url path. It's not a regular behavior for
 all ads, but my guess would be that it is done through a window.location-
 style JS redirect during ad click, since my browser status bar did not
 display a www.google.com destination url prior to click.

 I'm not sure if this example helps settle the "prompt or defang?" dilemma
 for these types of redirects.. That probably depends on common federated
 login mechanisms and viable alternatives, which in and of itself probably
 means "deploy the prompt first, and see what gets interrupted by it".

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3600#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list