[tor-bugs] #13784 [Tor Browser]: HTTP authentication tokens are not removed anymore for third party requests
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 18 10:38:29 UTC 2014
#13784: HTTP authentication tokens are not removed anymore for third party requests
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
Type: defect | team
Priority: critical | Status: new
Component: Tor Browser | Milestone:
Keywords: tbb-linkability, tbb-testcase, | Version:
TorBrowserTeam201411 | Actual Points:
Parent ID: | Points:
-------------------------------------------------+-------------------------
Fixing #13742 broke stripping off the Authorization header in case we are
about to send them with third party requests. The relevant code in
stanford-safecache.js was:
{{{
try {
// Disable 3rd party http auth, but exempt the browser (for
favicon loads)
// FIXME: Hrmm, this is just going to disable auth for 3rd party
domains.
// It would be better if we could isolate the auth, but still
// allow it to be transmitted.. But I guess, who still uses http
auth anyways?
if (channel.getRequestHeader("Authorization") !== null) {
if (parent_spec == "chrome://browser/content/browser.xul") {
torbutton_log(3, "Allowing auth for browser load of
"+channel.URI.spec);
} else {
torbutton_safelog(4, "Removing 3rd party HTTP auth for url ",
channel.URI.spec+", parent: "+parent_spec);
channel.setRequestHeader("Authorization", null, false);
channel.setRequestHeader("Pragma", null, false);
channel.setRequestHeader("Cache-Control", null, false);
}
}
} catch (e) {}
}}}
This is not an issue in our current stable but we need to get that fixed
rather soon as we want to backport the fix for #13742 to our 4.0 series.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13784>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list