Referers being sent from hidden service websites
|Reported by:||cypherpunks||Owned by:||tbb-team|
|Severity:||Keywords:||tbb-torbutton, tbb-security, TorBrowserTeam201510R|
|Cc:||gk, gordon@…, arthuredelstein||Actual Points:|
Currently, when browsing on a hidden service website, when you click on a clearnet/hidden service link it sends the current address as referer.
I think Tor Browser should behave for websites on .onion addresses the same as https:// websites on clearnet in certain cases.
Normally, when you click on a http link from a https website, it doesn't send any referer.
Tor Browser should at least use this same behavior of https for http hidden services (both are encrypted right?). No referers should be sent to clearnet or to other hidden services, this is unacceptable. I believe it shouldn't send referers for https links as well, so send nothing at all.
Other than a partial solution, I still believe using the smart referer is a better solution overall.
Change History (36)
comment:6 Changed 3 years ago by erinn
- Component changed from TorBrowserButton to Tor Browser
- Keywords tbb-torbutton added
- Owner changed from mikeperry to tbb-team
comment:22 follow-up: ↓ 25 Changed 18 months ago by mikeperry
- Keywords tbb-security TorBrowserTeam201510 added
comment:25 in reply to: ↑ 22 Changed 18 months ago by zyan
- Status changed from needs_revision to needs_review
comment:26 Changed 18 months ago by mikeperry
- Keywords TorBrowserTeam201510R added; TorBrowserTeam201510 removed