Hey Tom and co,
I am the person who wrote the fix in a hurry 14 months ago (as a stop-gap before FF38 with all its referer goodness was released). Glad it's finally being reviewed!
Here is the patch: https://github.com/diracdeltas/torbutton/pull/1/files
Here is the ticket: https://trac.torproject.org/projects/tor/ticket/9623
The patch only clears referer on cross-domain requests involving THS's. So referer will be preserved on http(s)://www.facebookcorewwwi.onion to http(s)://cdn.facebookcorewwwi.onion, for instance. Referer will NOT be sent to http(s)://someotheronion.onion or http://google.com, for instance.
I agree HS owners can do this with CSP1.1 right now (or the old <meta> referrer tags, though i think that was reverted in Firefox?) but it's important enough to prevent leaks that I think the client should handle it.
Cheers,
Yan
On 10/6/15 9:57 PM, Tom Ritter wrote:
What's the fix in the works? There is a specification being developed_______________________________________________
to allow sites to opt to remove referers (or opt to let them leak
*more* information.) http://www.w3.org/TR/referrer-policy/
(If you're wondering why one would want to leak more information, it's
basically to promote HTTPS adoption. One of the things holding back
HTTPS adoption is the lack of Referer on a HTTPS->HTTP link, so by
removing that constraint, the originating origin can move to HTTPS.)
Firefox supports Referrer Policy as of 36:
https://blog.mozilla.org/security/2015/01/21/meta-referrer/ so
arguably HS owners have the ability to fix this themselves for users
on ESR38.
-tom
On 6 October 2015 at 18:15, Tim Wilson-Brown - teor <teor2345@gmail.com> wrote:
Hi All,_______________________________________________
Currently there’s an information leak in Tor Browser: it sends referrer
headers containing .onion site addresses when the user clicks on a link on
the .onion site.
There’s a fix in the works, but we were wondering:
Does anyone’s hidden service depend on the referrer header?
The currently favoured fix is to stop sending referrers cross-origin
(between different .onion sites, and between .onion sites and sites on the
internet).
But this may break sites that are set up with multiple .onion addresses and
use referrers to check that requests are coming from the parent site.
(People sometimes set up different .onion sites to serve different types of
content, such as images.)
In general, I would discourage people from using referrers in this way,
because they aren’t secure and can be faked.
But does anyone have a compelling use case for cross-origin referrers, or is
using them at the moment?
We could include a preference if removing them would break too many sites.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
PGP 968F094B
teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev