Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-fingerprinting,  |  Actual Points:  .1
  TorBrowserTeam202001R  |
Parent ID:   | Points:
 Reviewer:  acat |Sponsor:
-+-
Changes (by boklm):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:4 acat]:
 > Looks good to me.

 Thanks. After fixing conflict with #27268 I merged the patch to `tor-
 browser-68.4.1esr-9.5-1` as commit
 `e8411693ccfa757557eecd97baaa8bb12a5c87dc`.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting,  |  Actual Points:  .1
  TorBrowserTeam202001R  |
Parent ID:   | Points:
 Reviewer:  acat |Sponsor:
-+-

Comment (by acat):

 Looks good to me.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting,  |  Actual Points:  .1
  TorBrowserTeam202001R  |
Parent ID:   | Points:
 Reviewer:  acat |Sponsor:
-+-
Changes (by pili):

 * reviewer:   => acat


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting,  |  Actual Points:  .1
  TorBrowserTeam202001R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by boklm):

 * keywords:  tbb-fingerprinting, TorBrowserTeam202001 => tbb-
 fingerprinting, TorBrowserTeam202001R
 * status:  new => needs_review
 * actualpoints:   => .1


Comment:

 I attached a patch doing this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting,  |  Actual Points:
  TorBrowserTeam202001   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by boklm):

 * Attachment "0001-fixup-TB4-Tor-Browser-s-Firefox-preference-
 overrides.patch" added.


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-fingerprinting,  |  Actual Points:
  TorBrowserTeam202001   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by boklm):

 * keywords:  referer, referrer, private browsing, pbm => tbb-
 fingerprinting, TorBrowserTeam202001


Comment:

 This sounds like a good idea to me.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status

[Tor Bug Tracker & Wiki]

#32948: Make referer behavior consistent regardless of private browing mode 
status
-+-
 Reporter:  cypherpunks  |  Owner:  tbb-team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Component:  Applications/Tor
 |  Browser
  Version:   |   Severity:  Normal
 Keywords:  referer, referrer,   |  Actual Points:
  private browsing, pbm  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
 Tor Browser's default [https://developer.mozilla.org/en-
 US/docs/Web/HTTP/Headers/Referrer-Policy referrer policy] when in private
 browsing mode is ''strict-origin-when-cross-origin'', but when private
 browsing mode is turned off its referrer policy is ''no-referrer-when-
 downgrade''. This is governed by the
 `network.http.referer.defaultPolicy.pbmode` and
 `network.http.referer.defaultPolicy` preferences, documented
 [https://wiki.mozilla.org/Security/Referrer here].

 This means that by default Tor Browser strips the path component from the
 referer header when making cross-origin requests. But if private browsing
 mode is turned off, it sends the complete URL instead.

 __Example__
 User navigates to `https://example.org/page.html` and the browser makes a
 request for an embedded image located at
 `https://static.cdn.com/image.gif`

 PBM = on, Referer = !https://example.org/
 PBM = off, Referer = !https://example.org/page.html

 This is undesirable because it makes it easy to passively detect TB users
 who have turned PBM off with nothing more than standard web server logs.

 And although it is advised against, it is apparent from comments and
 discussions online that a number of users with relaxed security
 requirements turn off private browsing mode to take advantage of features
 such as the browser password manager and URL bar history suggestions.

 For this reason, I think it would be good to remove this inonsistency.
 This can be accomplished by changing the default value of
 `network.http.referer.defaultPolicy` to 2 so that it matches that of its
 PBM counterpart (`network.http.referer.defaultPolicy.pbmode`). This would
 be in the interest of all TB users, not just those who turn off private
 browsing mode, because it increases uniformity.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs