[tor-bugs] #13670 [Tor Browser]: ensure OCSP requests respect URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jun 30 15:32:14 UTC 2015
#13670: ensure OCSP requests respect URL bar domain isolation
-------------------------+-------------------------------------------------
Reporter: | Owner: arthuredelstein
arthuredelstein | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-linkability, ff38-esr,
Browser | MikePerry201505R, TorBrowserTeam201506R, tbb-5
Resolution: | .0a-highrisk
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Replying to [comment:42 arthuredelstein]:
> Here's a new fixup patch that addresses issues mentioned in comment:38
and comment:40. I fixed the code in nsHTTPDownloadEvent::Run by prepending
an "https://" scheme to the isolation domain.
>
> https://github.com/arthuredelstein/tor-
browser/commit/c95f25a009d421a7cf38e56cc4c6fe83ff43c438
>
> I tested this patch and confirmed that most OCSP requests are isolated
to the first party domain. However, some OCSP requests go on the No-First-
Party circuit, apparently because they are prompted by favicon requests or
Tor Browser update requests.
This last case should be solved bu #16448, right? Or is there an
additional issue here?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list