Opened 7 months ago

Last modified 5 months ago

#28719 new defect

Clicking on embedded links seems to cause FPI mismatch

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, tbb-8.0-issues
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

Starting with Tor Browser 8 if one clicks on a link to, say, an image on a different domain, one sees first Torbutton log output about a request to the old domain in the URL bar and then to the new one. For instance if one clicks on the image link on

https://people.torproject.org/~gk/tests/image_pdf_fpi.html

the result is something like

[12-04 09:21:38] Torbutton INFO: tor SOCKS: https://www.w3schools.com/html/img_logo.gif via
                       torproject.org:b1e105e74a9fc3a64a2ce2ac582c0640
[12-04 09:21:38] Torbutton INFO: tor SOCKS: https://www.w3schools.com/html/img_logo.gif via
                       w3schools.com:81afd299054bcc8fc31c931087161bfe
GET https://www.w3schools.com/html/img_logo.gif 
[HTTP/2.0 200 OK 1787ms]

Note, there is only one GET request actually issued which could be a hint for a similar logging-only issue like #18762 and #16324.

This got noted on our blog: https://blog.torproject.org/comment/278684#comment-278684 (and similar comments on the 8.5a5 blog post).

Child Tickets

Change History (3)

comment:1 Changed 6 months ago by gk

Description: modified (diff)

comment:2 Changed 5 months ago by gk

https://blog.torproject.org/comment/279616#comment-279616 might be the same issue with JS resources.

comment:3 in reply to:  2 Changed 5 months ago by cypherpunks

Replying to gk:

https://blog.torproject.org/comment/279616#comment-279616 might be the same issue with JS resources.

HAR (cropped bcs trac):

      {
        "pageref": "page_1",
        "startedDateTime": "2019-02-05T10:07:36.244+00:00",
        "request": {
          "bodySize": 0,
          "method": "GET",
          "url": "https://hg.mozilla.org/static/3b362b7a9144/mercurial.js",
          "httpVersion": "HTTP/2.0",
          "headers": [
            {
              "name": "Host",
              "value": "hg.mozilla.org"
            },
            {
              "name": "User-Agent",
              "value": "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"
            },
            {
              "name": "Accept",
              "value": "*/*"
            },
            {
              "name": "Accept-Language",
              "value": "en-US,en;q=0.5"
            },
            {
              "name": "Accept-Encoding",
              "value": "gzip, deflate, br"
            },
            {
              "name": "Referer",
              "value": "https://hg.mozilla.org/releases/mozilla-esr60/rev/fe547fe73bba"
            },
            {
              "name": "Connection",
              "value": "keep-alive"
            }
          ],
          "cookies": [],
          "queryString": [],
          "headersSize": 0
        },
        "response": {
          "status": 200,
          "statusText": "OK",
          "httpVersion": "HTTP/2.0",
          "headers": [
            {
              "name": "server",
              "value": "Apache"
            },
            {
              "name": "cache-control",
              "value": "max-age=31536000, immutable"
            },
            {
              "name": "content-type",
              "value": "application/javascript"
            },
            {
              "name": "strict-transport-security",
              "value": "max-age=31536000"
            },
            {
              "name": "date",
              "value": "Tue, 05 Feb 2019 10:04:36 GMT"
            },
            {
              "name": "accept-ranges",
              "value": "bytes"
            },
            {
              "name": "access-control-allow-origin",
              "value": "*"
            },
            {
              "name": "etag",
              "value": "\"3da3-572da3410ec78\""
            },
            {
              "name": "x-content-type-options",
              "value": "nosniff"
            },
            {
              "name": "last-modified",
              "value": "Tue, 07 Aug 2018 15:39:45 GMT"
            },
            {
              "name": "content-length",
              "value": "15779"
            },
            {
              "name": "X-Firefox-Spdy",
              "value": "h2"
            }
          ],
          "cookies": [],
          "content": {
            "mimeType": "application/javascript",
            "size": 0,
            "text": ""
          },
          "redirectURL": "",
          "headersSize": 0,
          "bodySize": null
        },
        "cache": {
          "afterRequest": null
        },
        "timings": {
          "blocked": 0,
          "dns": 0,
          "ssl": 0,
          "connect": 0,
          "send": 0,
          "wait": 0,
          "receive": 0
        },
        "time": 0,
        "_securityState": "secure"
      },

Reported zero size for cached js:

            "mimeType": "application/javascript",
            "size": 0,
            "text": ""
Note: See TracTickets for help on using tickets.