[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #7492 [EFF-HTTPS Everywhere]: [CHROME] Do not flag cookies from HTTP origins as "secure"

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #7492 [EFF-HTTPS Everywhere]: [CHROME] Do not flag cookies from HTTP origins as "secure"
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 07 Mar 2013 02:58:49 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 06 Mar 2013 21:59:01 -0500
In-reply-to: <043.a0b22e570ad8cdc70ca0e12a95083056@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.a0b22e570ad8cdc70ca0e12a95083056@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#7492: [CHROME] Do not flag cookies from HTTP origins as "secure"
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  mikeperry
     Type:  defect                |         Status:  new      
 Priority:  critical              |      Milestone:           
Component:  EFF-HTTPS Everywhere  |        Version:           
 Keywords:                        |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------
Changes (by pde):

 * cc: dtauerbach (added)


Comment:

 I spent a couple of hours today on this.  Work in progress is in
 [https://gitweb.torproject.org/pde/https-everywhere.git/log/refs/heads
 /chrome-cookiefix this branch].

 But I'm really perplexed by what's been going on in
 [https://gitweb.torproject.org/pde/https-
 everywhere.git/blob/7d51c7dcf570b177fa76bfd42cba010232245c09:/chromium/background.js
 background.js] in [https://gitweb.torproject.org/pde/https-
 everywhere.git/blob/7d51c7dcf570b177fa76bfd42cba010232245c09:/chromium/background.js#l200
 onBeforeSendHeaders] and [https://gitweb.torproject.org/pde/https-
 everywhere.git/blob/7d51c7dcf570b177fa76bfd42cba010232245c09:/chromium/background.js#l169
 onHeadersReceived].  onHeadersReceived makes sense to me; it looks like a
 straightforward test to see whether a newly set cookie
 should be secured, modulo the apparent bug that it didn't check whether
 the protocol was HTTPS before securing the cookie.

 onBeforeSendHeaders looks is weirder.  If I had to interpret what it does,
 it looks like a reimplementation of the idea of secure cookies at all: ie,
 figure out if you want a cookie to be secure and if you do, delete it from
 outgoing HTTP (non-S) requests.  Git blame tells me that it's Aaron's
 fault, though I'm not sure if he was just committing something Mike had
 written.  Are we in the business of reimplementing the secure cookie flag
 because of a race condition?  Or for some other reason?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7492#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #8423 [TorBrowserButton]: TBB always clears cookies at shutdown
Next by Author: Re: [tor-bugs] #8154 [EFF-HTTPS Everywhere]: HTTPS Everywhere chrome makes google.cn ssl not correctly
Previous by thread: Re: [tor-bugs] #8423 [TorBrowserButton]: TBB always clears cookies at shutdown
Next by thread: Re: [tor-bugs] #7492 [EFF-HTTPS Everywhere]: [CHROME] Do not flag cookies from HTTP origins as "secure"
Index(es):
- Author
- Thread