Move Referrer spoofing for .onion domains out of Torbutton

In #9623 (moved) spoofing the referrer got fixed for requests to .onion domains. We should convert that patch into a C++ one we ship with tor-browser.

added TorBrowserTeam201609R component::applications/tor browser owner::arthuredelstein priority::medium resolution::fixed severity::normal sponsor::U status::closed tbb-torbutton-conversion type::task labels

Trac:
Sponsor: N/A to SponsorU

Getting important SponsorU things on our August radar.

Trac:
Keywords: N/A deleted, TorBrowserTeam201608 added

Tickets for September.

Trac:
Keywords: TorBrowserTeam201608 deleted, TorBrowserTeam201609 added

Trac:
Cc: N/A to arthuredelstein

Here are patches for review: https://github.com/arthuredelstein/tor-browser/commit/17334 https://github.com/arthuredelstein/torbutton/commit/17334

Trac:
Keywords: TorBrowserTeam201609 deleted, TorBrowserTeam201609R added
Severity: N/A to Normal
Status: new to needs_review
Reviewer: N/A to N/A

Trac:
Status: needs_review to accepted
Owner: tbb-team to arthuredelstein

Trac:
Status: accepted to needs_review

Kathy and I reviewed this and it looks OK. We did not build and run the code. How much testing have you done?

Replying to mcs:

Kathy and I reviewed this and it looks OK. We did not build and run the code. How much testing have you done?

More now. :) I have set up a hidden site that lets us test this feature manually: http://5oyaubgz5hqruonh.onion/test17334.html

If you apply only the torbutton patch in comment:5, then referrer spoofing is disabled. But if you apply the tor-browser.git patch as well, then spoofing works again.

It would be nice to write an automated test, but I'm not sure what the best approach is, as we need to be able to simulate an onion site or connect to a real one.

Looks good to me. This will go into 6.5a3 as well. Cherry-picked to torbutton master (commit 7f7129eb1eac515ca77d9f4b06bbf4b150fcffbe) and tor-browser-45.3.0esr-6.5-1 (commit 5837ac47afae9ca736ec4c4fedf0d83d6a601bc9).

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Replying to arthuredelstein:

It would be nice to write an automated test, but I'm not sure what the best approach is, as we need to be able to simulate an onion site or connect to a real one.

I opened ticket #20187 (moved) for that.

closed

mentioned in issue #20187 (moved)

mentioned in issue tpo/applications/tor-browser-bundle-testsuite#20187

moved to tpo/applications/tor-browser#17334 (closed)