Opened 11 years ago

Last modified 11 years ago

#618 closed defect (Works for me)

disable_referer still active when tor is off

Reported by: jan Owned by:
Priority: Low Milestone:
Component: Torbutton-Torbutton Version: 0.1.2.19
Severity: Keywords:
Cc: jan Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Torbutton has an option so that "referers aren't sent during Tor usage" (in Torbutton > Options > Security settings > headers)
This option is disabled by defaut.

If I enable it, (don't send referers during Tor usage), referers aren't sent even when Tor is not active, i.e. during normal non-Tor browsing.
This breaks some sites, e.g Google Analytics, where CSS and images don't load.

about:config
extension.torbutton.disable_referer true

If I disable the option back, referers work normally again during normal, non-tor browsing.

Tested settings:

1)Debian GNU Linux "lenny"
Iceweasel 2.0.0.12 Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.12) Gecko/20080129 Iceweasel/2.0.0.12 (Debian-2.0.0.12-1)
Tor 0.1.2.19
Torbutton 1.1.16-alpha

2)Windows XP
Firefox 2.0.0.12 Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Tor 0.1.2.19
Torbutton 1.1.16-alpha

3) Mac OSX 10.4
Firefox 2.0.0.12
Tor 0.1.2.19
Torbutton 1.1.16-alpha

[Automatically added by flyspray2trac: Operating System: Other Linux]

Child Tickets

Change History (4)

comment:1 Changed 11 years ago by mikeperry

Hrmm, for me it appears to correctly be resetting network.http.sendRefererHeader and
network.http.sendSecureXSiteReferrer every toggle, which are the prefs that govern this. Are these prefs getting
set back to their default values when you toggle?

comment:2 Changed 11 years ago by jan

You are right. If I flag "Don't send referer during Tor usage", this sets:

extensions.torbutton.disable_referer true

then, when I toggle "tor enabled"/"Tor disabled" the values are as follows:

network.http.sendRefererHeader 2/0
network.http.sendSecureXSiteReferrer true/false

It seems is not a referer related issue.
But still I get a weird behavior when accessing www.google.com/analytics
I tried disabling (flag off) one by one "hook dangerous javascript", "block javascript access to history navigation", "Clear http auth sessions" and setting "Clear cookies on Tor-toggle", but still I get the same problem on GA, i.e. images and css won't load.

I compared the http headers of a first GA session where the torbutton extension is disabled, with a second GA session where the extension enabled, but tor toggled off. The first session is ok. The second session fails to load some javascript and cookies after user authentication, and the css and images fail to load.

I think it is some kind of javascript/torbutton interaction, but I am not confident with js and ajax.

comment:3 Changed 11 years ago by mikeperry

Hrmm.. could be a content policy glitch, or could be some issues with google's javascript obfuscator that just started messing with the javascript hooks (will be fixed in 1.1.18). Does firebug/venkman show any errors/exceptions?

comment:4 Changed 11 years ago by mikeperry

flyspray2trac: bug closed.
Closing this because title is wrong, and is also potentially fixed in 1.1.18. Please refile if still applies in 1.1.18 with correct description/title.

Note: See TracTickets for help on using tickets.