[tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 11 10:48:58 UTC 2017


#21756: HTTP Authentication data is still sent to third parties with ESR 52 based
Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,      |  Actual Points:
  tbb-7.0-must-alpha                             |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:7 arthuredelstein]:
 > Replying to [comment:6 gk]:
 > > Do you think you could come up with a test for that scenario, too, to
 be extra sure that nothing is sneaking in?
 >
 > So my test from comment:2 is already testing if any third-party headers
 are received back under a new first party. Are you interested in testing
 the silent authentication scenario (with and without JS), or is there some
 other characteristic of that demo you would like to test?

 If you think there is no loophole where this kind of feature abuse can
 subvert our defenses then feel free to close this ticket without adding a
 particular test for the ip-check scenario.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list