[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain

To: undisclosed-recipients:;
Subject: [tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 11 Nov 2012 20:47:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Nov 2012 15:47:35 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#7445: Verify that 301 redirects are not cached cross-domain
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry
     Type:  project               |         Status:  new      
 Priority:  major                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:                        |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------
 Chiiph pointed me at:
 http://www.scatmania.org/2012/04/24/visitor-tracking-without-cookies/

 That url describes a technique to perform third party tracking using 301
 redirect caching. Based on my read of nsHttpChannel, it looks like the
 redirect cache information comes directly from mCacheEntry, which is
 retrieved using the same cacheDomain isolation we use to isolate the cache
 for JS, HTML, and CSS to first party domain.

 However, there could be some other reference table that is used that I'm
 not seeing. It wouldn't be the first time something crazy like that has
 happened.

 Unfortunately, their test is offline, and it also only tests a single
 first party domain.. We should test this cross-domain and make sure it is
 in fact isolated.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7445>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #7325 [pyobfsproxy]: Scrub IPs before displaying them in logs
Next by Author: Re: [tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain
Previous by thread: Re: [tor-bugs] #7444 [EFF-HTTPS Everywhere]: SSL Observatory unable to detect tor installation on PC-BSD
Next by thread: Re: [tor-bugs] #7445 [Firefox Patch Issues]: Verify that 301 redirects are not cached cross-domain
Index(es):
- Author
- Thread