[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #6458 [Firefox Patch Issues]: Disable HSTS for third party content on non-HSTS domains
#6458: Disable HSTS for third party content on non-HSTS domains
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
With proper cache+identifier siloing to url bar origin, it is no longer a
security issue to allow 3rd party content from HSTS urls to get loaded
from non-HSTS sites. Therefore, we can disable HSTS enforcement for third
parties in this case.
This will eliminate a super-cookie vector that HSTS creates (registering
32 domains, using HSTS for each domain as a bit).
This is going to be a painful patch to write, though...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6458>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs