[tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 10 16:22:54 UTC 2017 

#21756: HTTP Authentication data is still sent to third parties with ESR 52 based
Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,      |  Actual Points:
  tbb-7.0-must-alpha                             |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:6 gk]:
 > Replying to [comment:2 arthuredelstein]:
 > > In the #20680 branch, I dropped our #13900 patch because ESR52 is
 supposed to isolate HTTP Auth by first party. There is an automated test
 in ESR52 from https://bugzilla.mozilla.org/1301523. So I think the http
 ://ip-check.info site is detecting that the HTTP Auth credentials are
 being saved to the third party, but it isn't testing if these credentials
 are shared by with first party.
 >
 > I am not so sure about that. They are saved in Tor Browser 6.5.1 as well
 but still the test passes with it. We are stripping the third party
 headers when we are doing a request.

 You're right, I misspoke here. I should have said, the ip-check site is
 detecting if third-party credentials are sent back at all, but it isn't
 testing if these credentials are sent back under a different first party.

 > Now, the most likely explanation is that the test is showing a red
 outcome just in case it gets any third party headers back. Then this would
 be indeed no issue for us. What it actually does is implementing:
 >
 > http://blog.jeremiahgrossman.com/2007/04/tracking-users-without-
 cookies.html
 >
 > using things like http://Session:483452791@ipcheck.info/auth.css.php in
 a stylesheet link from ip-check.info to work without JS as well.
 >
 > Do you think you could come up with a test for that scenario, too, to be
 extra sure that nothing is sneaking in?

 So my test from comment:2 is already testing if any third-party headers
 are received back under a new first party. Are you interested in testing
 the silent authentication scenario (with and without JS), or is there some
 other characteristic of that demo you would like to test?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list