[tor-commits] [torbutton/master] Bug #3748: Disable 3rd party HTTP auth
mikeperry at torproject.org
mikeperry at torproject.org
Sat Aug 27 22:39:14 UTC 2011
commit 5032b8897b45229f62307f80b9dce401e4f734f7
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Sat Aug 27 15:25:00 2011 -0700
Bug #3748: Disable 3rd party HTTP auth
We do this by removing the Authenticate header. Users will now experience
dialogs informing them of incorrect authenticate attempts in the event of an
attack/attempted use of 3rd party auth. See #3837 for the bug to improve the
dialog.
---
src/chrome/content/stanford-safecache.js | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/chrome/content/stanford-safecache.js b/src/chrome/content/stanford-safecache.js
index 0b08bda..4dd388d 100644
--- a/src/chrome/content/stanford-safecache.js
+++ b/src/chrome/content/stanford-safecache.js
@@ -140,6 +140,18 @@ SSC_RequestListener.prototype =
" content loaded by " + parent_host);
this.setCacheKey(channel, parent_host);
referrer = parent_host;
+ try {
+ // Disable 3rd party http auth
+ // FIXME: Hrmm, this is just going to disable auth for 3rd party domains.
+ // It would be better if we could isolate the auth, but still
+ // allow it to be transmitted.. But I guess, who still uses http auth anyways?
+ if (channel.getRequestHeader("Authorization") !== null) {
+ torbutton_safelog(4, "Removing 3rd party HTTP auth for url: ", channel.URI.spec);
+ channel.setRequestHeader("Authorization", null, false);
+ channel.setRequestHeader("Pragma", null, false);
+ channel.setRequestHeader("Cache-Control", null, false);
+ }
+ } catch (e) {}
} else {
referrer = channel.URI.host;
if(!this.readCacheKey(channel.cacheKey)) {
More information about the tor-commits
mailing list