[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites

To: undisclosed-recipients: ;
Subject: [tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 13 Mar 2018 21:50:15 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 13 Mar 2018 17:50:28 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#25482: Origin header sent from hidden service to clearnet websites
--------------------------------------+--------------------
     Reporter:  kkm                   |      Owner:  (none)
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+--------------------
 When browsing hidden service on Tor browser like
 `https://www.nytimes3xbfgragh.onion/`, XHR and fetch calls on this service
 to clear net websites/services like
 (https://securepubads.g.doubleclick.net) sends the name of hidden service
 in `origin` header.

 Given that Tor browser ensures that referrer are not sent from .onion to
 clearnet(https://trac.torproject.org/projects/tor/ticket/9623), not sure
 how big of an issue is XHR / fetch requests sending Origin header.

 Note:
 1. Would be worth checking, if not sending `Origin` header, breaks some
 functionality.
 2. Origin header is always capped to domain level. So in this case the
 service will not now the exact URL on hidden service, but at least will
 learn the hidden service name.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25482>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #25482 [Applications/Tor Browser]: Origin header sent from hidden service to clearnet websites
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #23136 [Applications/Tor Launcher]: moat integration (fetch bridges for the user)
Next by Author: Re: [tor-bugs] #23854 [Metrics/Website]: Add an RSS feed for https://metrics.torproject.org/news.html
Previous by thread: Re: [tor-bugs] #21967 [Core Tor/Tor]: obfs4proxy not killed when unused
Next by thread: Re: [tor-bugs] #25482 [- Select a component]: Origin header sent from hidden service to clearnet websites
Index(es):
- Author
- Thread