[tor-bugs] #22320 [Applications/Tor Browser]: Referrer not hidden when comming from a .onion address

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun May 21 20:44:02 UTC 2017

#22320: Referrer not hidden when comming from a .onion address
     Reporter:  pege                      |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 In TorBroswer 7.0a4, when leaving a .onion page for a clearnet page, the
 .onion address is sent as referrer.

 This should not be the case and has originally been disabled with
 browser-45.8.0esr-6.5-2&id=09188cb14dfaa8ac22f687c978166c7bd171b576 this
 commit] and appears to have been
 [https://bugzilla.mozilla.org/show_bug.cgi?id=1305144 uplifted to Firefox]
 since. The `network.http.referer.hideOnionSource` preference is set to
 `true` but seems to have no effect.

 Steps to reproduce:
 1. Go to [https://3g2upl4pq6kufc4m.onion/ duckduckgo's onion page]
 2. enter any search term
 3. click on one of the result
 4. open the inspector observe the .onion referrer being send to the target

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22320>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list