Re: [tor-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
-------------------------+-------------------------------------------------
Changes (by mikeperry):

 * keywords:  tbb-torbutton => tbb-torbutton, tbb-security,
     TorBrowserTeam201510


Comment:

 I agree that .onion domains should not send cross-origin referrers by
 default. I could also see the High setting disabling them entirely, or
 applying the same origin restriction from the refSpoof component.

 It looks like Yan's patch works for the .onion case only. We can take
 that, if it still works. We can also alter it to have a separate pref to
 apply to everything for the High setting easily enough. I am fine with
 both.

 In both cases, we will need to file another tbb-torbotton-conversion
 ticket to convert this to a direct Firefox patch, but this need not block
 deploying this now.

 Sorry for missing Yan's initial review request.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs