HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
The HTTPs request made to check.torproject.org
as part of startup doesn't use domain isolation at all.
How to reproduce:
- Monitor the SOCKS traffic (or circuit list).
- Start Tor Browser, get to the
about:tor
page. - Gasp in horror.
Tested with 6.0.5.