[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Jun 18 19:02:30 UTC 2012
#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
-------------------------------------+--------------------------------------
Reporter: Drugoy | Owner: ma1
Type: defect | Status: reopened
Priority: blocker | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords:
Parent: | Points:
Actualpoints: |
-------------------------------------+--------------------------------------
Comment(by pde):
A summary of possible solution strategies:
1. Make every redirect via about:blank#rewrite-id. Advantages: quick.
Disadvantages: extremely janky, will make our code much uglier; hard to
know whether requests will ever mutate if we do this; structures for
tracking the rewrite-ids will be a likely source of memory leaks.
2. Try to deny the malicious code access to the window once we're
rewriting inside it. Advantages: unknown. Disadvtanges: we don't know
whether this is possible, or how to do it.
3. Use the HSTS machinery. Advantages: will probably work.
Disadvantages: will require a Firefox patch (!!!) to expose those
mechanisms to JavaScript; the HSTS paths have probably never been tested
with cross-domain rewrites.
Mike Perry is looking into the feasibility of 3.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list