[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Apr 17 22:00:32 UTC 2012
#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
------------------------------------------------------+---------------------
Reporter: Drugoy | Owner: pde
Type: defect | Status: new
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: address spoofing, critical vulnerability | Parent:
Points: | Actualpoints:
------------------------------------------------------+---------------------
Comment(by ma1):
From a first cursory look, latest stable NoScript (2.3.7) on latest
Nightly does not seem affected (while I could reproduce with stable HTTPS
Everywhere).
Tested with default configuration + ''NoScript Options|General|Scripts
globally allowed'' + ''NoScript Options|Advanced|HTTPS'' with
''apple.com'' forced to HTTPS (i.e. apple.com and subdomains).
I apparently get the same behavior as a clean profile with no extensions
(i.e. the load gets early aborted by document.write(), which therefore
outputs in a window which still displays the origin of its opener.
Hence, if these observations are confirmed, the question is: where does
HTTPS-Everywhere's HTTPS enforcement implementation diverge from
NoScript's?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list