[tbb-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 7 02:55:29 UTC 2015
#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: needs_revision
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-torbutton, tbb-security,
Browser | TorBrowserTeam201510R
Resolution: | Parent ID:
Actual Points: | Sponsor:
Points: |
-------------------------+-------------------------------------------------
Comment (by zyan):
Replying to [comment:31 teor]:
> Replying to [comment:28 zyan]:
> > Will fix. On further thought, maybe just get rid of the pref entirely
until #17228? I can't think of an immediate use case where one would want
to enable cross-origin onion referrers.
>
> Onion-sites using sub-onions to host (static) content.
> Or the onion-per-role design that Facebook (and perhaps other sites) use
(I think it's upload, static, and dynamic).
>
I am working with Alec Muffett at Facebook to see if this patch affects
their use case, since they use a different onion domain as a CDN.
Note that the patch does NOT affect referrer passage between onions and
sub-onions. Those are considered the same origin, so the referrer is sent
as usual.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:33>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list