Opened 9 months ago

Closed 9 months ago

#22320 closed defect (fixed)

Referrer not hidden when comming from a .onion address

Reported by: pege Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, tbb-7.0-must, TorBrowserTeam201705R
Cc: arthuredelstein, fdsfgs@…, mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In TorBroswer 7.0a4, when leaving a .onion page for a clearnet page, the .onion address is sent as referrer.

This should not be the case and has originally been disabled with this commit and appears to have been uplifted to Firefox since. The network.http.referer.hideOnionSource preference is set to true but seems to have no effect.

Steps to reproduce:

  1. Go to duckduckgo's onion page
  2. enter any search term
  3. click on one of the result
  4. open the inspector observe the .onion referrer being send to the target page

Child Tickets

Change History (11)

comment:1 Changed 9 months ago by gk

Cc: arthuredelstein added
Keywords: ff52-esr tbb-7.0-must TorBrowserTeam201705R added
Status: newneeds_review

It seems to me the Firefox patch is wrong. What we want to have is network.http.referer.spoofOnionSource and not network.http.referer.hideOnionSource. bug_22320 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_22320&id=c3a849a2b5f57a4860c16975be9c12fed22ed910) in my public repo fixes that.

pege: Does adding that preference fix the problem for you as well?
Arthur: Assuming I am right could you open a Mozilla bug correcting the patch ("(use target URI as referer)" in all.js is wrong as well)?

comment:2 Changed 9 months ago by pege

Yes, using spoofOnionSource does the trick. hideOnionSource would appear to be the more accurate name though. Doesn't look like anything is spoofed.

comment:3 Changed 9 months ago by arthuredelstein

Yes, this was an error on my part in the Firefox patch. It should have been "network.http.referer.hideOnionSource" in the whole patch. I will post a fixup here and also submit it to Mozilla. Sorry for the mistake.

In the Mozilla patch, the decision was to hide the referrer, rather than spoofing it, when leaving an onion source.

comment:4 Changed 9 months ago by tokotoko

Cc: fdsfgs@… added

comment:5 Changed 9 months ago by arthuredelstein

Here's the patch:
https://github.com/arthuredelstein/tor-browser/commit/22320

I manually tested this and confirmed that when the pref "network.http.referer.hideOnionSource" is true, no referer is sent in the headers when leaving an onion site. But when the pref is false, a referer containing the .onion domain is sent.

comment:6 Changed 9 months ago by arthuredelstein

comment:7 Changed 9 months ago by gk

Could you correct the comment in all.js as well (see comment:1) (in the Mozilla patch, too)? Apart from that looks good to me.

comment:8 Changed 9 months ago by gk

Cc: mcs brade added

comment:9 in reply to:  7 Changed 9 months ago by arthuredelstein

Replying to gk:

Could you correct the comment in all.js as well (see comment:1) (in the Mozilla patch, too)? Apart from that looks good to me.

Good point. The comment was already corrected in https://bugzilla.mozilla.org/show_bug.cgi?id=1357247 but I didn't backport it until now.

New patch with both comment and implementation fixed:
https://github.com/arthuredelstein/tor-browser/commit/22320+1

comment:10 Changed 9 months ago by mcs

r=mcs
I did not test the patch, but it looks correct to me.

comment:11 Changed 9 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Applied to tor-browser-52.1.1esr-7.0-1 and tor-browser-52.1.0esr-7.0-2 (commit 326e9aedfec184325ae95059d12e6b674bfa9013 and f59a7bc0288dcf5efaa71ebe8f591d7edea7b7b7).

Note: See TracTickets for help on using tickets.