Opened 2 years ago

Last modified 2 years ago

#25484 new defect

document.referrer leaks hidden service to clearnet service.

Reported by: kkm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Onion services might implement third-parties via clearnet like https://www.nytimes3xbfgragh.onion/ loads https://securepubads.g.doubleclick.net/.

Most of the times, these third-party scripts collects referrer via document.referrer. In these cases document.referrer gives access to the onion url, which is then sent to these third-parties.

Although, Tor does prevent sending referrer to clearnet sites on click(https://trac.torproject.org/projects/tor/ticket/9623), but in cases explained above, this does not hold true.

Also, because these third-parties also sends the current URL home, even in that case onion service URL is sent.

Child Tickets

Attachments (2)

ref.png (79.3 KB) - added by kkm 2 years ago.
url-document-ref.png (132.1 KB) - added by kkm 2 years ago.

Download all attachments as: .zip

Change History (3)

Changed 2 years ago by kkm

Attachment: ref.png added

Changed 2 years ago by kkm

Attachment: url-document-ref.png added

comment:1 Changed 2 years ago by kkm

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Note: See TracTickets for help on using tickets.