[tor-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 9 15:42:30 UTC 2015
#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: needs_revision
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-torbutton, tbb-security,
Browser | TorBrowserTeam201510R
Resolution: | Parent ID:
Actual Points: | Sponsor:
Points: |
-------------------------+-------------------------------------------------
Comment (by zyan):
Replying to [comment:34 gk]:
> Replying to [comment:30 zyan]:
> > Addressed comments in https://github.com/diracdeltas/torbutton/pull/1
and updated to using mozIThirdPartyUtil instead of rolling our own same-
origin check.
>
> This looks better, thanks. Some smaller things:
>
> 1) Could you avoid doing
> {{{
> var ios = Components.classes["@mozilla.org/network/io-service;1"].
> getService(Components.interfaces.nsIIOService);
> }}}
> everytime calling `onModifyRequest()`? Assigning it once in the
constructor (as done with `thirdPartyUtil`) should be enough.
>
> 2) Could you remove the boilerplate for Firefox 3.6 at the end of
torRefSpoofer.js?
good catches, fixed.
>
> 3) Could you squash your commits?
>
> One thing I am wondering is whether it would be better to set the
Referrer to a URL containing the domain the user is requesting instead of
setting it to `http://example.com`. There might be cases where this makes
the Referer spoofing non-obvious which seems superior to just using a
semi-random URL.
I think this makes sense, so I did it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:35>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list