[tor-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Oct 3 06:52:47 UTC 2015
#9623: Referers being sent from hidden service websites
-----------------------------+---------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-torbutton
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+---------------------------
Comment (by zyan):
I have some spare time in the next week or so; let me know if you want me
to rebase my 14-month old patch for this issue.
https://github.com/diracdeltas/torbutton/pull/1/files
Note that Firefox 36 implemented meta-referrer, so in the meantime, .onion
site owners can simply add a HTML meta tag to clear all referrers on the
document. https://bugzilla.mozilla.org/show_bug.cgi?id=704320
Actually, Firefox 37 added CSP referrer policy, so that is another option.
https://bugzilla.mozilla.org/show_bug.cgi?id=965727
I guess that also means the patch above could be simplified by injecting
the CSP no-referrer header on HTTP responses for .onion documents.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list