Opened 18 months ago

Last modified 18 months ago

#25072 new defect

New Identity does not clear HTTPS Everywhere extension storage

Reported by: kmodi Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-torbutton, tbb-newnym
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When "New Identity" button is pressed, the information stored by extensions like HTTPS Everywhere is not cleared.

This might contain information, like domains which the user added as an exception.
Because, this persists on disk and is not cleared on Tor shoutdown or manually clicking "New Identity", it leaves traces of users browsing habits.

Steps to reproduce:

  1. Visit a website like cnn.com.
  2. Click on HTTPS Everywhere Icon, and uncheck CNN.COM.
  3. Restart Tor or Click on New Identity,
  4. Visit the same site again, the setting is remembered by extension.

Data on disk:
~/Library/Application\ Support/TorBrowser-Data/Browser/profile/browser-extension-data/https-everywhere-eff@…/storage.js:{"ruleActiveStates":{"CNN.com (partial)":false},"migration_version":1}

Ideally, extensions should be careful while saving data to disks. But may be Tor can also clear the storage on New Identity.

Child Tickets

Change History (3)

comment:1 Changed 18 months ago by gk

Component: HTTPS Everywhere/EFF-HTTPS EverywhereApplications/Tor Browser
Keywords: tbb-torbutton tbb-newnym added
Owner: changed from jsha to tbb-team
Summary: New Identity does not clear extension storageNew Identity does not clear HTTPS Everywhere extension storage

We might need an HTTPS-Everywhere patch, not sure yet, but for now we could try looking into patch Torbutton where the New Identity code lives and do maybe a similar thing to what we do when clearing NoScript's permissions.

comment:2 Changed 18 months ago by cypherpunks

+1 from me.

comment:3 in reply to:  2 Changed 18 months ago by cypherpunks

Replying to cypherpunks:

+1 from me.

From who?

Note: See TracTickets for help on using tickets.