[tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites

Tom Ritter tom at ritter.vg
Wed Oct 7 01:57:20 UTC 2015

What's the fix in the works?  There is a specification being developed
to allow sites to opt to remove referers (or opt to let them leak
*more* information.) http://www.w3.org/TR/referrer-policy/

(If you're wondering why one would want to leak more information, it's
basically to promote HTTPS adoption. One of the things holding back
HTTPS adoption is the lack of Referer on a HTTPS->HTTP link, so by
removing that constraint, the originating origin can move to HTTPS.)

Firefox supports Referrer Policy as of 36:
https://blog.mozilla.org/security/2015/01/21/meta-referrer/ so
arguably HS owners have the ability to fix this themselves for users
on ESR38.


On 6 October 2015 at 18:15, Tim Wilson-Brown - teor <teor2345 at gmail.com> wrote:
> Hi All,
> Currently there’s an information leak in Tor Browser: it sends referrer
> headers containing .onion site addresses when the user clicks on a link on
> the .onion site.
> There’s a fix in the works, but we were wondering:
> Does anyone’s hidden service depend on the referrer header?
> The currently favoured fix is to stop sending referrers cross-origin
> (between different .onion sites, and between .onion sites and sites on the
> internet).
> But this may break sites that are set up with multiple .onion addresses and
> use referrers to check that requests are coming from the parent site.
> (People sometimes set up different .onion sites to serve different types of
> content, such as images.)
> In general, I would discourage people from using referrers in this way,
> because they aren’t secure and can be faked.
> But does anyone have a compelling use case for cross-origin referrers, or is
> using them at the moment?
> We could include a preference if removing them would break too many sites.
> Tim
> Tim Wilson-Brown (teor)
> teor2345 at gmail dot com
> PGP 968F094B
> teor at blah dot im
> OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

More information about the tor-dev mailing list