Write Firefox patch for removing third-party HTTP authentication tokens
We still remove third-party HTTP authentication tokens in the SafeCache related code. We should turn that into a C++ patch + a proper test and get rid of the JS code as it is not needed anymore since the fix for #13742 (moved) landed.
Activity
Kathy and are working on this. Our current thinking is that we will modify nsHttpChannel::BeginConnect() and nsHttpChannel::DoAuthRetry() to suppress the Authorization header when the request is a third party one. That approach will keep the behavior consistent with what is implemented by Torbutton's stanford-safecache.js code today.
We will use methods from ThirdPartyUtil to determine if the request is a third party request. We may need to whitelist requests whose parent is "chrome://browser/content/browser.xul" to allow for authenticated favicon requests (as is done in stanford-safecache.js).
-
We have not written automated tests yet, but please review these two commits:
Trac:
Keywords: TorBrowserTeam201502 deleted, TorBrowserTeam201502R added
Status: assigned to needs_review mentioned in issue #14089 (moved)
mentioned in issue #21555 (moved)
mentioned in issue #21756 (moved)
