[tor-commits] [meek/master] Strip unneeded headers by default.

[dcf@xxxxxxxxxxxxxx]

commit 650f5d10115670a2b7fbe355dd11ea125256537b
Author: David Fifield <david@xxxxxxxxxxxxxxx>
Date:   Fri Feb 15 13:55:53 2019 -0700

    Strip unneeded headers by default.
    
    These are:
            Accept
            Accept-Language
            Cookie
            Origin
            User-Agent
    
    Cf. https://bugs.torproject.org/12778
    
    In the old extension we stripped *all* headers, except for
    Content-Length and Content-Type, which got set by
    nsIUploadChannel.setUploadStream; and Connection, which somehow
    automatically got the value "keep-alive".
    https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ced86880b54f57a80b34d7f1b32a0eaa33b48
    
    In the new WebExtension, stripping all headers really strips them all,
    including Content-Length, without which web servers may refuse to deal
    with us. So instead, just delete an enumerated list of headers that seem
    unnecessary; or, like Cookie or Origin, may enable cross-session
    tracking.
    
    Before this change (url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com):
    Accept: */*
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.5
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 0
    Host: meek.azureedge.net
    Origin: moz-extension://3b29e17d-f486-48b9-8a03-782237114ad3
    Pragma: no-cache
    TE: Trailers
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
    X-Session-Id: QE9IrvZFtFc
    
    After this change:
    Accept-Encoding: gzip, deflate, br
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 0
    Host: meek.azureedge.net
    Pragma: no-cache
    TE: Trailers
    X-Session-Id: CKOaxq4SVqM
---
 webextension/background.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/webextension/background.js b/webextension/background.js
index 1ffb828..664e758 100644
--- a/webextension/background.js
+++ b/webextension/background.js
@@ -135,7 +135,6 @@ async function roundtrip(request) {
         // Don't follow redirects (we'll get resp.status:0 if there is one).
         init.redirect = "manual";
 
-        // TODO: strip Origin header?
         // TODO: proxy
     } catch (error) {
         return {error: `request spec failed valiation: ${error.message}`};
@@ -165,6 +164,10 @@ async function roundtrip(request) {
                 .map(x => ({name: x[0], value: x[1]}));
             // Remove all browser headers that conflict with requested headers.
             let overrides = Object.fromEntries(headers.map(x => [x.name.toLowerCase(), true]));
+            // Also remove some unnecessary or potentially tracking-enabling headers.
+            for (let name of ["Accept", "Accept-Language", "Cookie", "Origin", "User-Agent"]) {
+                overrides[name.toLowerCase()] = true;
+            }
             let browserHeaders = details.requestHeaders.filter(x => !(x.name.toLowerCase() in overrides));
             return {requestHeaders: browserHeaders.concat(headers)};
         } finally {



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits