[tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites

yan yan at torproject.org
Wed Oct 7 02:57:26 UTC 2015 

Hey Tom and co,

I am the person who wrote the fix in a hurry 14 months ago (as a 
stop-gap before FF38 with all its referer goodness was released). Glad 
it's finally being reviewed!

Here is the patch: https://github.com/diracdeltas/torbutton/pull/1/files
Here is the ticket: https://trac.torproject.org/projects/tor/ticket/9623

The patch only clears referer on cross-domain requests involving THS's. 
So referer will be preserved on http(s)://www.facebookcorewwwi.onion to 
http(s)://cdn.facebookcorewwwi.onion, for instance. Referer will NOT be 
sent to http(s)://someotheronion.onion or http://google.com, for instance.

I agree HS owners can do this with CSP1.1 right now (or the old <meta> 
referrer tags, though i think that was reverted in Firefox?) but it's 
important enough to prevent leaks that I think the client should handle it.

Cheers,
Yan

On 10/6/15 9:57 PM, Tom Ritter wrote:
> What's the fix in the works?  There is a specification being developed
> to allow sites to opt to remove referers (or opt to let them leak
> *more* information.) http://www.w3.org/TR/referrer-policy/
>
> (If you're wondering why one would want to leak more information, it's
> basically to promote HTTPS adoption. One of the things holding back
> HTTPS adoption is the lack of Referer on a HTTPS->HTTP link, so by
> removing that constraint, the originating origin can move to HTTPS.)
>
> Firefox supports Referrer Policy as of 36:
> https://blog.mozilla.org/security/2015/01/21/meta-referrer/ so
> arguably HS owners have the ability to fix this themselves for users
> on ESR38.
>
> -tom
>
>
> On 6 October 2015 at 18:15, Tim Wilson-Brown - teor <teor2345 at gmail.com> wrote:
>> Hi All,
>>
>> Currently there’s an information leak in Tor Browser: it sends referrer
>> headers containing .onion site addresses when the user clicks on a link on
>> the .onion site.
>>
>> There’s a fix in the works, but we were wondering:
>> Does anyone’s hidden service depend on the referrer header?
>> The currently favoured fix is to stop sending referrers cross-origin
>> (between different .onion sites, and between .onion sites and sites on the
>> internet).
>>
>> But this may break sites that are set up with multiple .onion addresses and
>> use referrers to check that requests are coming from the parent site.
>> (People sometimes set up different .onion sites to serve different types of
>> content, such as images.)
>>
>> In general, I would discourage people from using referrers in this way,
>> because they aren’t secure and can be faked.
>>
>> But does anyone have a compelling use case for cross-origin referrers, or is
>> using them at the moment?
>> We could include a preference if removing them would break too many sites.
>>
>> Tim
>>
>> Tim Wilson-Brown (teor)
>>
>> teor2345 at gmail dot com
>> PGP 968F094B
>>
>> teor at blah dot im
>> OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
>>
>>
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>

More information about the tor-dev mailing list