[tor-bugs] #16920 [Tor Browser]: Referer Header should be disabled for new tabs

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 28 09:47:53 UTC 2015


#16920: Referer Header should be disabled for new tabs
------------------------------+----------------------
     Reporter:  someone_else  |      Owner:  tbb-team
         Type:  defect        |     Status:  new
     Priority:  major         |  Milestone:
    Component:  Tor Browser   |    Version:
   Resolution:                |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |    Sponsor:
------------------------------+----------------------
Changes (by cypherpunks):

 * priority:  normal => major


Comment:

 This kind of session tracking even works for https. E.g. search with
 Disconnect search. Links to https sites opened in new tabs will include
 the search id as referer:
 Referer:
 https://search.disconnect.me/searchTerms/serp?search=be546373-ac83-4a7e-
 968d-354236197519

 Many sites now use Cloudfront as https frontend. Cloudfront has access to
 the referrers accross different URL bar domains / circuits, since they
 handle the encryption.

 There are many more examples, where unique IDs are included in referers.
 E.g. PHP session IDs are very common.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16920#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list