[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #3809 [TorBrowserButton]: Hide referer spoofing option

To: undisclosed-recipients:;
Subject: [tor-bugs] #3809 [TorBrowserButton]: Hide referer spoofing option
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Thu, 25 Aug 2011 22:35:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 25 Aug 2011 18:35:36 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#3809: Hide referer spoofing option
----------------------------------------+-----------------------------------
 Reporter:  mikeperry                   |          Owner:  mikeperry                    
     Type:  defect                      |         Status:  new                          
 Priority:  normal                      |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  TorBrowserButton            |        Version:                               
 Keywords:  MikePerryIteration20110828  |         Parent:                               
   Points:  3                           |   Actualpoints:                               
----------------------------------------+-----------------------------------
 Referer spoofing breaks browser navigation due to an interaction with our
 content policy. We could alter the content policy, but that would make the
 toggle model even less safe, because of Firefox API limitations. Basically
 the fix would increase the probability that some requests might leak
 through from one torbutton state to another.

 I am kind of torn. On the one hand, since we're don't really support the
 toggle model, it might be fine to make it (more) insecure. However, I
 don't really think the referrer blocking feature is very useful, and I am
 planning on removing it in the next major release.. So to break it for
 this reason seems kind of silly.

 Hence, let's hide the referer spoofing option, demoting it to an
 about:config pref only, to prevent people from breaking their TBBs with
 it.

 We will remove the pref entirely in a future release.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3809>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #3809 [TorBrowserButton]: Hide referer spoofing option
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #3809 [TorBrowserButton]: Hide referer spoofing option
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #3809 [TorBrowserButton]: Remove referer spoofing support (was: Hide referer spoofing option)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3661 [TorBrowserButton]: Remove privoxy+polipo from banned ports
Next by Author: Re: [tor-bugs] #3429 [TorBrowserButton]: Referer blocking option breaks browser navigation
Previous by thread: Re: [tor-bugs] #3246 [Tor Browser]: Apply third party cookie patch
Next by thread: Re: [tor-bugs] #3809 [TorBrowserButton]: Hide referer spoofing option
Index(es):
- Author
- Thread