[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3748 [TorBrowserButton]: Isolate HTTP Auth to top-level domain



#3748: Isolate HTTP Auth to top-level domain
------------------------------+---------------------------------------------
 Reporter:  mikeperry         |          Owner:  mikeperry                    
     Type:  defect            |         Status:  new                          
 Priority:  major             |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  TorBrowserButton  |        Version:                               
 Keywords:                    |         Parent:                               
   Points:                    |   Actualpoints:                               
------------------------------+---------------------------------------------

Comment(by mikeperry):

 Georg - I noticed you strip off the WWW-Authenticate header from 3rd party
 responses. Does that serve any security purpose, or does it exist just to
 prevent 3rd parties from being able to open auth prompts?

 I am thinking that we might want the auth prompts to show up. They would
 be evidence of a tracking attack using this mechanism. If the adversary
 doesn't get the Authenticate header they want and then sets WWW-
 Authenticate, the browser would effectively be alerting the user that the
 site is trying to track them.

 It might also help users diagnose issues in the event that this feature
 breaks some other site that requires 3rd party auth.

 What do you think?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs