[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
-------------------------------------+--------------------------------------
    Reporter:  Drugoy                |       Owner:  ma1     
        Type:  defect                |      Status:  reopened
    Priority:  blocker               |   Milestone:          
   Component:  EFF-HTTPS Everywhere  |     Version:          
  Resolution:                        |    Keywords:          
      Parent:                        |      Points:          
Actualpoints:                        |  
-------------------------------------+--------------------------------------
Comment(by pde):
 A summary of possible solution strategies:
 1. Make every redirect via about:blank#rewrite-id.  Advantages: quick.
 Disadvantages: extremely janky, will make our code much uglier; hard to
 know whether requests will ever mutate if we do this; structures for
 tracking the rewrite-ids will be a likely source of memory leaks.
 2. Try to deny the malicious code access to the window once we're
 rewriting inside it.  Advantages: unknown.  Disadvtanges: we don't know
 whether this is possible, or how to do it.
 3. Use the HSTS machinery.  Advantages: will probably work.
 Disadvantages: will require a Firefox patch (!!!) to expose those
 mechanisms to JavaScript; the HSTS paths have probably never been tested
 with cross-domain rewrites.
 Mike Perry is looking into the feasibility of 3.
-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs