[tor-bugs] #13784 [Tor Browser]: HTTP authentication tokens are not removed anymore for third party requests
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 18 10:39:13 UTC 2014
#13784: HTTP authentication tokens are not removed anymore for third party requests
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: | Milestone:
critical | Version:
Component: Tor | Keywords: tbb-linkability, tbb-testcase,
Browser | TorBrowserTeam201411
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Description changed by gk:
Old description:
> Fixing #13742 broke stripping off the Authorization header in case we are
> about to send them with third party requests. The relevant code in
> stanford-safecache.js was:
> {{{
> try {
> // Disable 3rd party http auth, but exempt the browser (for
> favicon loads)
> // FIXME: Hrmm, this is just going to disable auth for 3rd party
> domains.
> // It would be better if we could isolate the auth, but still
> // allow it to be transmitted.. But I guess, who still uses http
> auth anyways?
> if (channel.getRequestHeader("Authorization") !== null) {
> if (parent_spec == "chrome://browser/content/browser.xul") {
> torbutton_log(3, "Allowing auth for browser load of
> "+channel.URI.spec);
> } else {
> torbutton_safelog(4, "Removing 3rd party HTTP auth for url ",
> channel.URI.spec+", parent: "+parent_spec);
> channel.setRequestHeader("Authorization", null, false);
> channel.setRequestHeader("Pragma", null, false);
> channel.setRequestHeader("Cache-Control", null, false);
> }
> }
> } catch (e) {}
> }}}
> This is not an issue in our current stable but we need to get that fixed
> rather soon as we want to backport the fix for #13742 to our 4.0 series.
New description:
Fixing #13742 broke stripping off the Authorization header in case we are
about to send it with third party requests. The relevant code in stanford-
safecache.js was:
{{{
try {
// Disable 3rd party http auth, but exempt the browser (for
favicon loads)
// FIXME: Hrmm, this is just going to disable auth for 3rd party
domains.
// It would be better if we could isolate the auth, but still
// allow it to be transmitted.. But I guess, who still uses http
auth anyways?
if (channel.getRequestHeader("Authorization") !== null) {
if (parent_spec == "chrome://browser/content/browser.xul") {
torbutton_log(3, "Allowing auth for browser load of
"+channel.URI.spec);
} else {
torbutton_safelog(4, "Removing 3rd party HTTP auth for url ",
channel.URI.spec+", parent: "+parent_spec);
channel.setRequestHeader("Authorization", null, false);
channel.setRequestHeader("Pragma", null, false);
channel.setRequestHeader("Cache-Control", null, false);
}
}
} catch (e) {}
}}}
This is not an issue in our current stable but we need to get that fixed
rather soon as we want to backport the fix for #13742 to our 4.0 series.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13784#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list