[tor-commits] [torbutton/master] Bug #3748: Disable 3rd party HTTP auth

[mikeperry at torproject.org]

commit 5032b8897b45229f62307f80b9dce401e4f734f7
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Sat Aug 27 15:25:00 2011 -0700

    Bug #3748: Disable 3rd party HTTP auth
    
    We do this by removing the Authenticate header. Users will now experience
    dialogs informing them of incorrect authenticate attempts in the event of an
    attack/attempted use of 3rd party auth. See #3837 for the bug to improve the
    dialog.
---
 src/chrome/content/stanford-safecache.js |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/src/chrome/content/stanford-safecache.js b/src/chrome/content/stanford-safecache.js
index 0b08bda..4dd388d 100644
--- a/src/chrome/content/stanford-safecache.js
+++ b/src/chrome/content/stanford-safecache.js
@@ -140,6 +140,18 @@ SSC_RequestListener.prototype =
                " content loaded by " + parent_host);
       this.setCacheKey(channel, parent_host);
       referrer = parent_host;
+      try {
+        // Disable 3rd party http auth
+        // FIXME: Hrmm, this is just going to disable auth for 3rd party domains.
+        // It would be better if we could isolate the auth, but still
+        // allow it to be transmitted.. But I guess, who still uses http auth anyways?
+        if (channel.getRequestHeader("Authorization") !== null) {
+          torbutton_safelog(4, "Removing 3rd party HTTP auth for url: ", channel.URI.spec);
+          channel.setRequestHeader("Authorization", null, false);
+          channel.setRequestHeader("Pragma", null, false);
+          channel.setRequestHeader("Cache-Control", null, false);
+        }
+      } catch (e) {}
     } else {
       referrer = channel.URI.host;  
       if(!this.readCacheKey(channel.cacheKey)) {