Opened 5 years ago

Closed 5 years ago

#13900 closed enhancement (fixed)

Write Firefox patch for removing third-party HTTP authentication tokens

Reported by: gk Owned by: mcs
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-linkability, tbb-firefox-patch, tbb-testcase, TorBrowserTeam201502R
Cc: mikeperry, brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


We still remove third-party HTTP authentication tokens in the SafeCache related code. We should turn that into a C++ patch + a proper test and get rid of the JS code as it is not needed anymore since the fix for #13742 landed.

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201501 added

I think we should aim for having this as part of our the thirdparty isolation feature merge for FF38.

comment:2 Changed 5 years ago by mcs

Cc: mikeperry brade mcs added
Owner: changed from tbb-team to mcs
Status: newassigned

comment:3 Changed 5 years ago by mcs

Kathy and are working on this. Our current thinking is that we will modify nsHttpChannel::BeginConnect() and nsHttpChannel::DoAuthRetry() to suppress the Authorization header when the request is a third party one. That approach will keep the behavior consistent with what is implemented by Torbutton's stanford-safecache.js code today.

We will use methods from ThirdPartyUtil to determine if the request is a third party request. We may need to whitelist requests whose parent is "chrome://browser/content/browser.xul" to allow for authenticated favicon requests (as is done in stanford-safecache.js).

comment:4 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201502 added; TorBrowserTeam201501 removed

comment:5 Changed 5 years ago by mcs

Keywords: TorBrowserTeam201502R added; TorBrowserTeam201502 removed
Status: assignedneeds_review

comment:6 Changed 5 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Ok, this looks good to me. For now, I am thinking we will make a push for writing tests when we revisit this in April/May for the Firefox 38 rebase.

Note: See TracTickets for help on using tickets.