[tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 11 10:48:58 UTC 2017
#21756: HTTP Authentication data is still sent to third parties with ESR 52 based
Tor Browser
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status:
| assigned
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, TorBrowserTeam201704, | Actual Points:
tbb-7.0-must-alpha |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:7 arthuredelstein]:
> Replying to [comment:6 gk]:
> > Do you think you could come up with a test for that scenario, too, to
be extra sure that nothing is sneaking in?
>
> So my test from comment:2 is already testing if any third-party headers
are received back under a new first party. Are you interested in testing
the silent authentication scenario (with and without JS), or is there some
other characteristic of that demo you would like to test?
If you think there is no loophole where this kind of feature abuse can
subvert our defenses then feel free to close this ticket without adding a
particular test for the ip-check scenario.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list