[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3748 [TorBrowserButton]: Isolate HTTP Auth to top-level domain
#3748: Isolate HTTP Auth to top-level domain
------------------------------+---------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Comment(by mikeperry):
Georg - I noticed you strip off the WWW-Authenticate header from 3rd party
responses. Does that serve any security purpose, or does it exist just to
prevent 3rd parties from being able to open auth prompts?
I am thinking that we might want the auth prompts to show up. They would
be evidence of a tracking attack using this mechanism. If the adversary
doesn't get the Authenticate header they want and then sets WWW-
Authenticate, the browser would effectively be alerting the user that the
site is trying to track them.
It might also help users diagnose issues in the event that this feature
breaks some other site that requires 3rd party auth.
What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs