[tbb-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 8 22:06:12 UTC 2017


#21418: New Tor Browser http response header, for high security websites
--------------------------------------+--------------------------
 Reporter:  micahlee                  |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 Is a header the right choice for this? On the surface, I kind of like the
 ability for a website to opt-in to stricter security controls but the
 threat model is odd.

 If it's a HTTP Header that applies per-request, the attacker has hacked
 the server or the network, but not completely otherwise they could remove
 or disable the header.

 If it's some sort of persistent mechanism (for example: a HTTP Header that
 gets remembered with max-age) then we're presuming the HTTP Server is
 trustable at one point in time and then gets compromised later.

 That second one seems a lot more reasonable to me than just a per-response
 header.

 It does; however, introduce the state problem - you don't actually want to
 remember state in Tor Browser so we would have to solve that problem.



 I would note that this really applies more for the other features of the
 Tor Browser security slider than Javascript. You can effectively disable
 javascript entirely using Content Security Policy with _is_ a per-response
 header that Tor Browser already supports.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21418#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list