[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 24 23:24:48 UTC 2015
#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-----------------------------+-------------------------------------
Reporter: isis | Owner: isis
Type: enhancement | Status: new
Priority: major | Milestone:
Component: BridgeDB | Version:
Resolution: | Keywords: bridgedb-https security
Actual Points: | Parent ID:
Points: |
-----------------------------+-------------------------------------
Comment (by isis):
Replying to [comment:2 bastik]:
> >a malicious bridge could specify in its Pluggable Transport arguments
in its extrainfo descriptor
>
> I assume it is hard to sanitize the descriptor without breaking
anything. Although it would benefit all users if script tags would be
filtered out and pluggable transports don't use them.
>
We do this too. See
[https://gitweb.torproject.org/user/isis/bridgedb.git/commit/?id=faf48983
commit] `faf48983` and
[https://gitweb.torproject.org/user/isis/bridgedb.git/commit/?id=ccb3b8d1
commit] `ccb3b8d1`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list