[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

To: undisclosed-recipients: ;
Subject: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 14 Jan 2020 14:53:40 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 14 Jan 2020 09:53:56 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, blackhole@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#32948: Make referer behavior consistent regardless of private browing mode status
-------------------------------------+-------------------------------------
 Reporter:  cypherpunks              |          Owner:  tbb-team
     Type:  enhancement              |         Status:  new
 Priority:  Medium                   |      Component:  Applications/Tor
                                     |  Browser
  Version:                           |       Severity:  Normal
 Keywords:  referer, referrer,       |  Actual Points:
  private browsing, pbm              |
Parent ID:                           |         Points:
 Reviewer:                           |        Sponsor:
-------------------------------------+-------------------------------------
 Tor Browser's default [https://developer.mozilla.org/en-
 US/docs/Web/HTTP/Headers/Referrer-Policy referrer policy] when in private
 browsing mode is ''strict-origin-when-cross-origin'', but when private
 browsing mode is turned off its referrer policy is ''no-referrer-when-
 downgrade''. This is governed by the
 `network.http.referer.defaultPolicy.pbmode` and
 `network.http.referer.defaultPolicy` preferences, documented
 [https://wiki.mozilla.org/Security/Referrer here].

 This means that by default Tor Browser strips the path component from the
 referer header when making cross-origin requests. But if private browsing
 mode is turned off, it sends the complete URL instead.

 __Example__
 User navigates to `https://example.org/page.html` and the browser makes a
 request for an embedded image located at
 `https://static.cdn.com/image.gif`

 PBM = on, Referer = !https://example.org/
 PBM = off, Referer = !https://example.org/page.html

 This is undesirable because it makes it easy to passively detect TB users
 who have turned PBM off with nothing more than standard web server logs.

 And although it is advised against, it is apparent from comments and
 discussions online that a number of users with relaxed security
 requirements turn off private browsing mode to take advantage of features
 such as the browser password manager and URL bar history suggestions.

 For this reason, I think it would be good to remove this inonsistency.
 This can be accomplished by changing the default value of
 `network.http.referer.defaultPolicy` to 2 so that it matches that of its
 PBM counterpart (`network.http.referer.defaultPolicy.pbmode`). This would
 be in the interest of all TB users, not just those who turn off private
 browsing mode, because it increases uniformity.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32948>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #25110 [Core Tor/Tor]: Warn operators who set MyFamily that they must also set ContactInfo
Next by Author: Re: [tor-bugs] #20055 [Core Tor/Tor]: Remove relays that fail to rotate onion keys from the consensus
Previous by thread: Re: [tor-bugs] #23545 [Applications/Tor Browser]: UX improvement: Tor Browser should handle bogus HSv3 addresses
Next by thread: Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
Index(es):
- Author
- Thread