[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu May 10 20:12:42 UTC 2012
#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
-------------------------------------+--------------------------------------
Reporter: Drugoy | Owner: ma1
Type: defect | Status: reopened
Priority: blocker | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords:
Parent: | Points:
Actualpoints: |
-------------------------------------+--------------------------------------
Comment(by pde):
In parallel, I've been discussing this with the Mozilla security team.
One horrible workaround option (assuming we don't learn anything
actionable from the approach mikeperry mentions) would be to redirect to
about:blank straightaway, and then on to the real destination. It would
probably have to be !about:blank#token in order to keep track of what
we're doing.
I also tested to see if this problem exists with Mozilla's native HSTS
implementation. It doesn't. Unfortunately, all of
[http://mxr.mozilla.org/mozilla-
central/source/netwerk/protocol/http/nsHttpChannel.cpp#1430 that machinery
is asynchronous native code] that's not available to scripts.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:37>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list