[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue May 8 19:52:32 UTC 2012 

#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
-------------------------------------+--------------------------------------
    Reporter:  Drugoy                |       Owner:  ma1            
        Type:  defect                |      Status:  reopened       
    Priority:  blocker               |   Milestone:                 
   Component:  EFF-HTTPS Everywhere  |     Version:                 
  Resolution:                        |    Keywords:  MikePerry201204
      Parent:                        |      Points:  7              
Actualpoints:  7                     |  
-------------------------------------+--------------------------------------

Comment(by mikeperry):

 FTR: The behavior is quite different if you run
 http://ww2.cs.mu.oz.au/~pde/bugs/5477-tst.html in Tor Browser. For me, the
 url bar in the popup goes through three states:

 1. I click Demo, and the popup has a url of
 http://ww2.cs.mu.oz.au/~pde/bugs/5477-tst.html and the frogs popup appears
 immediately.

 2. A second goes by, and the url bar turns to https://www.apple.com, with
 the content of the popup still in place (yes this is bad, but keep
 reading)

 3. Another second or two goes by, and the redirect completes, and as far
 as I can tell, I'm now on the real https://www.apple.com url with valid
 content.

 It's possible that when we tested this, step 2 happened very quickly for
 us (perhaps because both Peter and I were testing the fix on vanilla
 Firefox without Tor), and we didn't notice the interim state.

 Am I seeing the same thing everyone else is seeing? Is the blocker that is
 causing so many users to get hacked really this brief interim state in 2?
 Because if so, I'm very surprised that so many users are getting hacked so
 quickly.

 Not that the brief interim state isn't something that should be prevented
 if possible.. I'm just surprised at all the screaming. Seems a bit
 unnecessary.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:33>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list