[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor-browser/tor-browser-45.8.0esr-7.0-1] fixup! Bug 13900: Remove 3rd party HTTP auth tokens.
commit 340377b882408b5de24ff69bcd76e774d9844e4c
Author: Arthur Edelstein <arthuredelstein@xxxxxxxxx>
Date: Fri Mar 3 21:47:20 2017 -0800
fixup! Bug 13900: Remove 3rd party HTTP auth tokens.
The HostPartIsTheSame() is too strict about deciding what is first party.
Instead we use IsThirdPartyURI() to check if the request is from
the first party. Specifically, it considers an XHR to api.twitter.com
from a twitter.com top-level page to be first-party.
This fixes bug 21555 and 16450.
---
netwerk/protocol/http/nsHttpChannel.cpp | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index 3a9a126..e571394 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -6558,8 +6558,12 @@ nsHttpChannel::RemoveAuthorizationHeaderIfAppropriate()
nsresult rv = thirdPartySvc->GetFirstPartyURIFromChannel(this, false,
getter_AddRefs(firstPartyURI));
if (NS_SUCCEEDED(rv) && firstPartyURI) {
- isAuthAllowed = (mURI == firstPartyURI)
- || HostPartIsTheSame(firstPartyURI);
+ bool isThirdParty;
+ rv = thirdPartySvc->IsThirdPartyURI(firstPartyURI, mURI, &isThirdParty);
+ if (NS_SUCCEEDED(rv)) {
+ // Prevent third-party requests from sending auth tokens.
+ isAuthAllowed = !isThirdParty;
+ }
} else {
// We failed to get the first party URI. Check the document URI so
// that we can allow authentication if the request originates from the
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits