[tor-bugs] #3748 [TorBrowserButton]: Isolate HTTP Auth to top-level domain
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Aug 26 21:57:07 UTC 2011
#3748: Isolate HTTP Auth to top-level domain
------------------------------+---------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Comment(by mikeperry):
Georg - I noticed you strip off the WWW-Authenticate header from 3rd party
responses. Does that serve any security purpose, or does it exist just to
prevent 3rd parties from being able to open auth prompts?
I am thinking that we might want the auth prompts to show up. They would
be evidence of a tracking attack using this mechanism. If the adversary
doesn't get the Authenticate header they want and then sets WWW-
Authenticate, the browser would effectively be alerting the user that the
site is trying to track them.
It might also help users diagnose issues in the event that this feature
breaks some other site that requires 3rd party auth.
What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list