Opened 3 years ago

Last modified 3 years ago

#18107 new enhancement

Prevent automatic HTTP redirects

Reported by: slycelote Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Apparently, at some point this feature was removed from Firefox. The option "Advanced -> General -> Warn me when websites try to redirect" doesn't seem to work. For example, this link redirects automatically: http://bit.ly/M4DEDa

I think that automatic HTTP redirects are a potential attack vector. (See, for example, [1]). Can the option to disable them be restored?

[1] https://www.reddit.com/r/TOR/comments/41bfwq/tor_exits_can_strip_ssl_inject_malicious_js_then/

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by teor

Confirmed on Tor Browser 5.0.7 on OS X 10.11.

comment:2 Changed 3 years ago by cypherpunks

IIRC that preference never prevented "Location" header redirects, only "meta refresh" HTML thingies.

(Also, bit.ly supports https.)

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:3 Changed 3 years ago by slycelote

Maybe. All I know is, I used to get these pop-ups about redirects regularly, and now I almost never see them. So either Firefox changed something, or most sites changed the way they do redirects.

comment:4 in reply to:  3 Changed 3 years ago by cypherpunks

Replying to slycelote:

Maybe. All I know is, I used to get these pop-ups about redirects regularly, and now I almost never see them. So either Firefox changed something, or most sites changed the way they do redirects.

If that's all you know then that's what you should have said.

Anyway, is like I said, "accessibility.blockautorefresh" never prevented redirections caused by HTTP "Location" headers, only those caused by HTML "<meta ...refresh...>" elements and (this one I didn't know) "Refresh" HTTP headers:

BTW, the last comment in that bug report mentions an interesting preference: "network.http.redirection-limit".

comment:5 Changed 3 years ago by slycelote

Setting network.http.redirection-limit to 0 prevents redirection completely, rather than asking whether to allow it or not.

Extensions such as RedirectControl can probably help. I don't know what kinds of redirects they handle though.

Note: See TracTickets for help on using tickets.