3rd party HTTP auth removal is triggered whenever firefox attempts to fetch a nonexistant favicon.ico
- Torbutton about says 1.4.6 but that's not available in the version dropdown
When browsing within a single website with no 3rd party content that uses HTTP authentication (in this case an simple onion site), the HTTP authentication is periodically invalidated and one is forced to re-authenticate. Setting the torbutton logging level to 3 the invalidation of the HTTP auth seems correspond to entries like the one below:
Torbutton INFO: SSC: Parent browser for http://example.onion/favicon.ico Torbutton INFO: SSC: Segmenting http://example.onion/favicon.ico content loaded by browser Torbutton NOTE: Removing 3rd party HTTP auth for url: http://example.onion/favicon.ico
The site in question does not have a favicon nor any header code indicating one should be fetched, and when Firefox makes a request for one automatically, it seems to invalidate the HTTP auth.
Since this is an automatic behavior of Firefox, and at no point is a request for content from a 3rd party being made Torbutton should handle this case correctly (ie. not invalidate the HTTP auth session).
Trac:
Username: cryptobear