Re: [tor-bugs] #9623 [Tor Browser]: Referers being sent from hidden service websites

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#9623: Referers being sent from hidden service websites
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-torbutton, tbb-security,
  Browser                |  TorBrowserTeam201510
   Resolution:           |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
-------------------------+-------------------------------------------------
Changes (by zyan):

 * status:  needs_revision => needs_review


Comment:

 Replying to [comment:22 mikeperry]:
 > I agree that .onion domains should not send cross-origin referrers by
 default. I could also see the High setting disabling them entirely, or
 applying the same origin restriction from the refSpoof component.
 >
 > It looks like Yan's patch works for the .onion case only. We can take
 that, if it still works. We can also alter it to have a separate pref to
 apply to everything for the High setting easily enough. I am fine with
 both.
 >
 > In both cases, we will need to file another tbb-torbotton-conversion
 ticket to convert this to a direct Firefox patch, but this need not block
 deploying this now.
 >

 i have now rebased https://github.com/diracdeltas/torbutton/pull/1 and it
 seems to be working on the few .onions i've tested.
 mikeperry/gk please review. thanks.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9623#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs