[tor-bugs] #15599 [Tor Browser]: Range requests are not isolated to URL -bar domain
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 6 12:49:28 UTC 2015
#15599: Range requests are not isolated to URL -bar domain
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor Browser | Version:
Keywords: tbb-linkability, tbb-4.5-alpha | Actual Points:
Parent ID: | Points:
--------------------------------------------+--------------------------
If a server sends the Accept-Range header + a proper content size Tor
Browser is starting range requests that are not isolated to the URL bar
domain. You can test this e.g. with
https://kpdyer.com/publications/usenix2014-fte.pdf. Works even in a third
party context with https://people.torproject.org/~gk/misc/range-request-
test.html (your security slider level needs to be below medium-high in
this case).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15599>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list