[tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 25 23:11:40 UTC 2015
#13670: ensure OCSP & favicons respect URL bar domain isolation
-------------------------+-------------------------------------------------
Reporter: | Owner: arthuredelstein
arthuredelstein | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-linkability, ff38-esr,
Browser | MikePerry201505R, TorBrowserTeam201506R, tbb-5
Resolution: | .0a-highrisk
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Changes (by arthuredelstein):
* status: needs_revision => needs_review
Comment:
Here's a new fixup patch that addresses issues mentioned in comment:38 and
comment:40. I fixed the code in nsHTTPDownloadEvent::Run by prepending an
"https://" scheme to the isolation domain.
https://github.com/arthuredelstein/tor-
browser/commit/c95f25a009d421a7cf38e56cc4c6fe83ff43c438
I tested this patch and confirmed that most OCSP requests are isolated to
the first party domain. However, some OCSP requests go on the No-First-
Party circuit, apparently because they are prompted by favicon requests or
Tor Browser update requests.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:42>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list