Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#17334 closed task (fixed)

Move Referrer spoofing for .onion domains out of Torbutton

Reported by: gk Owned by: arthuredelstein
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-torbutton-conversion, TorBrowserTeam201609R
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorU

Description

In #9623 spoofing the referrer got fixed for requests to .onion domains. We should convert that patch into a C++ one we ship with tor-browser.

Child Tickets

Change History (11)

comment:1 Changed 3 years ago by gk

Sponsor: SponsorU

comment:2 Changed 3 years ago by gk

Keywords: TorBrowserTeam201608 added

Getting important SponsorU things on our August radar.

comment:3 Changed 3 years ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:4 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added

comment:5 Changed 3 years ago by arthuredelstein

Keywords: TorBrowserTeam201609R added; TorBrowserTeam201609 removed
Severity: Normal
Status: newneeds_review

comment:6 Changed 3 years ago by arthuredelstein

Owner: changed from tbb-team to arthuredelstein
Status: needs_reviewaccepted

comment:7 Changed 3 years ago by arthuredelstein

Status: acceptedneeds_review

comment:8 Changed 3 years ago by mcs

Kathy and I reviewed this and it looks OK. We did not build and run the code. How much testing have you done?

comment:9 in reply to:  8 ; Changed 3 years ago by arthuredelstein

Replying to mcs:

Kathy and I reviewed this and it looks OK. We did not build and run the code. How much testing have you done?

More now. :) I have set up a hidden site that lets us test this feature manually:
http://5oyaubgz5hqruonh.onion/test17334.html

If you apply only the torbutton patch in comment:5, then referrer spoofing is disabled. But if you apply the tor-browser.git patch as well, then spoofing works again.

It would be nice to write an automated test, but I'm not sure what the best approach is, as we need to be able to simulate an onion site or connect to a real one.

comment:10 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. This will go into 6.5a3 as well. Cherry-picked to torbutton master (commit 7f7129eb1eac515ca77d9f4b06bbf4b150fcffbe) and tor-browser-45.3.0esr-6.5-1 (commit 5837ac47afae9ca736ec4c4fedf0d83d6a601bc9).

comment:11 in reply to:  9 Changed 3 years ago by boklm

Replying to arthuredelstein:

It would be nice to write an automated test, but I'm not sure what the best approach is, as we need to be able to simulate an onion site or connect to a real one.

I opened ticket #20187 for that.

Note: See TracTickets for help on using tickets.