[tor-commits] [meek/webextension] Strip unneeded headers by default.

dcf at torproject.org dcf at torproject.org
Fri Feb 15 21:58:43 UTC 2019

commit 7c57727cdbefb4916984bc20cf4d42e903cbc27d
Author: David Fifield <david at bamsoftware.com>
Date:   Fri Feb 15 13:55:53 2019 -0700

    Strip unneeded headers by default.
    These are:
    Cf. https://bugs.torproject.org/12778
    In the old extension we stripped *all* headers, except for
    Content-Length and Content-Type, which got set by
    nsIUploadChannel.setUploadStream; and Connection, which somehow
    automatically got the value "keep-alive".
    In the new WebExtension, stripping all headers really strips them all,
    including Content-Length, without which web servers may refuse to deal
    with us. So instead, just delete an enumerated list of headers that seem
    unnecessary; or, like Cookie or Origin, may enable cross-session
    Before this change (url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com):
    Accept: */*
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.5
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 0
    Host: meek.azureedge.net
    Origin: moz-extension://3b29e17d-f486-48b9-8a03-782237114ad3
    Pragma: no-cache
    TE: Trailers
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
    X-Session-Id: QE9IrvZFtFc
    After this change:
    Accept-Encoding: gzip, deflate, br
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 0
    Host: meek.azureedge.net
    Pragma: no-cache
    TE: Trailers
    X-Session-Id: CKOaxq4SVqM
 webextension/background.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/webextension/background.js b/webextension/background.js
index e07f68a..2bd0d11 100644
--- a/webextension/background.js
+++ b/webextension/background.js
@@ -135,7 +135,6 @@ async function roundtrip(request) {
         // Don't follow redirects (we'll get resp.status:0 if there is one).
         init.redirect = "manual";
-        // TODO: strip Origin header?
         // TODO: proxy
     } catch (error) {
         return {error: `request spec failed valiation: ${error.message}`};
@@ -165,6 +164,10 @@ async function roundtrip(request) {
                 .map(x => ({name: x[0], value: x[1]}));
             // Remove all browser headers that conflict with requested headers.
             let overrides = Object.fromEntries(headers.map(x => [x.name.toLowerCase(), true]));
+            // Also remove some unnecessary or potentially tracking-enabling headers.
+            for (let name of ["Accept", "Accept-Language", "Cookie", "Origin", "User-Agent"]) {
+                overrides[name.toLowerCase()] = true;
+            }
             let browserHeaders = details.requestHeaders.filter(x => !(x.name.toLowerCase() in overrides));
             return {requestHeaders: browserHeaders.concat(headers)};
         } finally {

More information about the tor-commits mailing list