[tor-commits] [meek/master] Strip unneeded headers by default.
dcf at torproject.org
dcf at torproject.org
Wed Aug 28 05:59:18 UTC 2019
commit 650f5d10115670a2b7fbe355dd11ea125256537b
Author: David Fifield <david at bamsoftware.com>
Date: Fri Feb 15 13:55:53 2019 -0700
Strip unneeded headers by default.
These are:
Accept
Accept-Language
Cookie
Origin
User-Agent
Cf. https://bugs.torproject.org/12778
In the old extension we stripped *all* headers, except for
Content-Length and Content-Type, which got set by
nsIUploadChannel.setUploadStream; and Connection, which somehow
automatically got the value "keep-alive".
https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ced86880b54f57a80b34d7f1b32a0eaa33b48
In the new WebExtension, stripping all headers really strips them all,
including Content-Length, without which web servers may refuse to deal
with us. So instead, just delete an enumerated list of headers that seem
unnecessary; or, like Cookie or Origin, may enable cross-session
tracking.
Before this change (url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com):
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 0
Host: meek.azureedge.net
Origin: moz-extension://3b29e17d-f486-48b9-8a03-782237114ad3
Pragma: no-cache
TE: Trailers
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
X-Session-Id: QE9IrvZFtFc
After this change:
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 0
Host: meek.azureedge.net
Pragma: no-cache
TE: Trailers
X-Session-Id: CKOaxq4SVqM
---
webextension/background.js | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/webextension/background.js b/webextension/background.js
index 1ffb828..664e758 100644
--- a/webextension/background.js
+++ b/webextension/background.js
@@ -135,7 +135,6 @@ async function roundtrip(request) {
// Don't follow redirects (we'll get resp.status:0 if there is one).
init.redirect = "manual";
- // TODO: strip Origin header?
// TODO: proxy
} catch (error) {
return {error: `request spec failed valiation: ${error.message}`};
@@ -165,6 +164,10 @@ async function roundtrip(request) {
.map(x => ({name: x[0], value: x[1]}));
// Remove all browser headers that conflict with requested headers.
let overrides = Object.fromEntries(headers.map(x => [x.name.toLowerCase(), true]));
+ // Also remove some unnecessary or potentially tracking-enabling headers.
+ for (let name of ["Accept", "Accept-Language", "Cookie", "Origin", "User-Agent"]) {
+ overrides[name.toLowerCase()] = true;
+ }
let browserHeaders = details.requestHeaders.filter(x => !(x.name.toLowerCase() in overrides));
return {requestHeaders: browserHeaders.concat(headers)};
} finally {
More information about the tor-commits
mailing list