Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#3809 closed defect (fixed)

Remove referer spoofing support

Reported by: mikeperry Owned by: mikeperry
Priority: Medium Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: MikePerryIteration20110828
Cc: Actual Points: 1
Parent ID: Points: 3
Reviewer: Sponsor:

Description

Referer spoofing breaks browser navigation due to an interaction with our content policy. We could alter the content policy, but that would make the toggle model even less safe, because of Firefox API limitations. Basically the fix would increase the probability that some requests might leak through from one torbutton state to another.

I am kind of torn. On the one hand, since we're don't really support the toggle model, it might be fine to make it (more) insecure. However, I don't really think the referrer blocking feature is very useful, and I am planning on removing it in the next major release.. So to break it for this reason seems kind of silly.

Hence, let's hide the referer spoofing option, demoting it to an about:config pref only, to prevent people from breaking their TBBs with it.

We will remove the pref entirely in a future release.

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by mikeperry

Actual Points: 1
Resolution: fixed
Status: newclosed

comment:2 Changed 8 years ago by rransom

Hmm. On second thought, just hiding the option would be bad for folks who have turned it on already. Perhaps you should remove the underlying preference now, too.

comment:3 Changed 8 years ago by mikeperry

Summary: Hide referer spoofing optionRemove referer spoofing support

Considering #3810 a dup of this.

comment:4 Changed 7 years ago by joyton

Where does this leave RefControl? And one such as myself that only uses TBB (and does not toggle)? As long as I realise I cannot toggle due to the issues you wrote above, is it 'safe' for one to use RefControl?

I used RefControl for years with Tor bundle and then TBB, until Mike included the code for referrer spoofing.

comment:5 Changed 7 years ago by joyton

Edit:

Please see my comments under ticket #3429 ("Referer blocking option breaks browser navigation"), re spoofing vs. blocking of referrers.

Note: See TracTickets for help on using tickets.