#17334 closed task (fixed)
Move Referrer spoofing for .onion domains out of Torbutton
| Reported by: | gk | Owned by: | arthuredelstein |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-torbutton-conversion, TorBrowserTeam201609R |
| Cc: | arthuredelstein | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: | SponsorU |
Description
In #9623 spoofing the referrer got fixed for requests to .onion domains. We should convert that patch into a C++ one we ship with tor-browser.
Child Tickets
Change History (11)
comment:1 Changed 3 years ago by
| Sponsor: | → SponsorU |
|---|
comment:2 Changed 3 years ago by
| Keywords: | TorBrowserTeam201608 added |
|---|
comment:3 Changed 3 years ago by
| Keywords: | TorBrowserTeam201609 added; TorBrowserTeam201608 removed |
|---|
Tickets for September.
comment:4 Changed 3 years ago by
| Cc: | arthuredelstein added |
|---|
comment:5 Changed 3 years ago by
| Keywords: | TorBrowserTeam201609R added; TorBrowserTeam201609 removed |
|---|---|
| Severity: | → Normal |
| Status: | new → needs_review |
Here are patches for review:
https://github.com/arthuredelstein/tor-browser/commit/17334
https://github.com/arthuredelstein/torbutton/commit/17334
comment:6 Changed 3 years ago by
| Owner: | changed from tbb-team to arthuredelstein |
|---|---|
| Status: | needs_review → accepted |
comment:7 Changed 3 years ago by
| Status: | accepted → needs_review |
|---|
comment:8 follow-up: 9 Changed 3 years ago by
Kathy and I reviewed this and it looks OK. We did not build and run the code. How much testing have you done?
comment:9 follow-up: 11 Changed 3 years ago by
Replying to mcs:
Kathy and I reviewed this and it looks OK. We did not build and run the code. How much testing have you done?
More now. :) I have set up a hidden site that lets us test this feature manually:
http://5oyaubgz5hqruonh.onion/test17334.html
If you apply only the torbutton patch in comment:5, then referrer spoofing is disabled. But if you apply the tor-browser.git patch as well, then spoofing works again.
It would be nice to write an automated test, but I'm not sure what the best approach is, as we need to be able to simulate an onion site or connect to a real one.
comment:10 Changed 3 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | needs_review → closed |
Looks good to me. This will go into 6.5a3 as well. Cherry-picked to torbutton master (commit 7f7129eb1eac515ca77d9f4b06bbf4b150fcffbe) and tor-browser-45.3.0esr-6.5-1 (commit 5837ac47afae9ca736ec4c4fedf0d83d6a601bc9).
comment:11 Changed 3 years ago by
Replying to arthuredelstein:
It would be nice to write an automated test, but I'm not sure what the best approach is, as we need to be able to simulate an onion site or connect to a real one.
I opened ticket #20187 for that.
Getting important SponsorU things on our August radar.