[tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tim Wilson-Brown - teor teor2345 at gmail.com
Tue Oct 6 23:15:07 UTC 2015

Hi All,

Currently there’s an information leak in Tor Browser: it sends referrer headers containing .onion site addresses when the user clicks on a link on the .onion site.

There’s a fix in the works, but we were wondering:
Does anyone’s hidden service depend on the referrer header?
The currently favoured fix is to stop sending referrers cross-origin (between different .onion sites, and between .onion sites and sites on the internet).

But this may break sites that are set up with multiple .onion addresses and use referrers to check that requests are coming from the parent site. (People sometimes set up different .onion sites to serve different types of content, such as images.)

In general, I would discourage people from using referrers in this way, because they aren’t secure and can be faked.

But does anyone have a compelling use case for cross-origin referrers, or is using them at the moment?
We could include a preference if removing them would break too many sites.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151007/0abfd994/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151007/0abfd994/attachment-0001.sig>

More information about the tor-dev mailing list