[tor-bugs] #13784 [Tor Browser]: HTTP authentication tokens are not removed anymore for third party requests

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 18 10:39:13 UTC 2014


#13784: HTTP authentication tokens are not removed anymore for third party requests
-------------------------+-------------------------------------------------
     Reporter:  gk       |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:           |  Milestone:
  critical               |    Version:
    Component:  Tor      |   Keywords:  tbb-linkability, tbb-testcase,
  Browser                |  TorBrowserTeam201411
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------
Description changed by gk:

Old description:

> Fixing #13742 broke stripping off the Authorization header in case we are
> about to send them with third party requests. The relevant code in
> stanford-safecache.js was:
> {{{
>       try {
>         // Disable 3rd party http auth, but exempt the browser (for
> favicon loads)
>         // FIXME: Hrmm, this is just going to disable auth for 3rd party
> domains.
>         // It would be better if we could isolate the auth, but still
>         // allow it to be transmitted.. But I guess, who still uses http
> auth anyways?
>         if (channel.getRequestHeader("Authorization") !== null) {
>           if (parent_spec == "chrome://browser/content/browser.xul") {
>             torbutton_log(3, "Allowing auth for browser load of
> "+channel.URI.spec);
>           } else {
>             torbutton_safelog(4, "Removing 3rd party HTTP auth for url ",
>                               channel.URI.spec+", parent: "+parent_spec);
>             channel.setRequestHeader("Authorization", null, false);
>             channel.setRequestHeader("Pragma", null, false);
>             channel.setRequestHeader("Cache-Control", null, false);
>           }
>         }
>       } catch (e) {}
> }}}
> This is not an issue in our current stable but we need to get that fixed
> rather soon as we want to backport the fix for #13742 to our 4.0 series.

New description:

 Fixing #13742 broke stripping off the Authorization header in case we are
 about to send it with third party requests. The relevant code in stanford-
 safecache.js was:
 {{{
       try {
         // Disable 3rd party http auth, but exempt the browser (for
 favicon loads)
         // FIXME: Hrmm, this is just going to disable auth for 3rd party
 domains.
         // It would be better if we could isolate the auth, but still
         // allow it to be transmitted.. But I guess, who still uses http
 auth anyways?
         if (channel.getRequestHeader("Authorization") !== null) {
           if (parent_spec == "chrome://browser/content/browser.xul") {
             torbutton_log(3, "Allowing auth for browser load of
 "+channel.URI.spec);
           } else {
             torbutton_safelog(4, "Removing 3rd party HTTP auth for url ",
                               channel.URI.spec+", parent: "+parent_spec);
             channel.setRequestHeader("Authorization", null, false);
             channel.setRequestHeader("Pragma", null, false);
             channel.setRequestHeader("Cache-Control", null, false);
           }
         }
       } catch (e) {}
 }}}
 This is not an issue in our current stable but we need to get that fixed
 rather soon as we want to backport the fix for #13742 to our 4.0 series.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13784#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list