[tbb-bugs] #16920 [Tor Browser]: Referer Header should be disabled for new tabs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 28 09:47:53 UTC 2015
#16920: Referer Header should be disabled for new tabs
------------------------------+----------------------
Reporter: someone_else | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
------------------------------+----------------------
Changes (by cypherpunks):
* priority: normal => major
Comment:
This kind of session tracking even works for https. E.g. search with
Disconnect search. Links to https sites opened in new tabs will include
the search id as referer:
Referer:
https://search.disconnect.me/searchTerms/serp?search=be546373-ac83-4a7e-
968d-354236197519
Many sites now use Cloudfront as https frontend. Cloudfront has access to
the referrers accross different URL bar domains / circuits, since they
handle the encryption.
There are many more examples, where unique IDs are included in referers.
E.g. PHP session IDs are very common.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16920#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list