[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2148 [Torbutton]: 1.3.x: RefSpoofer fails on 5 test cases out of 12.
#2148: 1.3.x: RefSpoofer fails on 5 test cases out of 12.
---------------------------------+------------------------------------------
Reporter: T(A)ILS developers | Owner: koryk
Type: defect | Status: assigned
Priority: critical | Milestone: Torbutton: 1.3
Component: Torbutton | Version: Torbutton: 1.3
Keywords: refspoofer | Parent:
Points: 6 | Actualpointsdone:
Pointsdone: | Actualpoints:
---------------------------------+------------------------------------------
Comment(by T(A)ILS developers):
Hi Mike,
When I reported the bug I was probably using an older version of Firefox,
now I just tried again with version shipped in Debian squeeze, 3.5.16-4
and torbutton 1.3.1-alpha and as far as B column is concerned I get the
same results.
In case B3, going from http://domain.tld/something.html to
http://www.domain.tld/ I get :
domain.tld:80 xx.xx.xx.xx - - [15/Feb/2011:12:19:33 +0100] "GET /
HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
So no referrer are sent when the spec says it should send it. And I can
agree with that.
In case B2, going from http://domain.tld/something.html to
http//host.domain.tld/index.html I get :
host.domain.tld:80 xx.xx.xx.xx - - [15/Feb/2011:12:22:32 +0100] "GET
/index.html HTTP/1.1" 304 - "http://host.domain.tld" "Mozilla/5.0
(Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3"
So a referrer from the *destination* host.domain.tld is sent, which is
pretty weird indeed.
The spec is unclear but in my opinion it should not send any referrer in
this case. I understand the choice made in the spec for base B3 since we
can usually assume that domain.tld and www.domain.tld are run by the same
entity. But in the more general case of different subdomains we should
assume that it is not the case: they can be run by different entities, the
DNS can point to different IPs, the admins and owners of the CMSes can be
different. Thinking about two different wordpress.com blogs for example
one.wordpress.com and two.wordpress.com, I might not want the admin of
two.wordpress know that I'm coming from one.wordpress.com to visit her
blog.
I would be glad to help you more debugging this. What extra information
can I send you ?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2148#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs