[tor-commits] [tor-browser/tor-browser-45.8.0esr-6.5-2] fixup! Bug 13900: Remove 3rd party HTTP auth tokens.

2017-03-08 Thread gk 
commit eb8f7fd0910e831d96dfdef4782e23c6c389e844
Author: Arthur Edelstein 
Date:   Fri Mar 3 21:47:20 2017 -0800

fixup! Bug 13900: Remove 3rd party HTTP auth tokens.

The HostPartIsTheSame() is too strict about deciding what is first party.
Instead we use IsThirdPartyURI() to check if the request is from
the first party. Specifically, it considers an XHR to api.twitter.com
from a twitter.com top-level page to be first-party.

This fixes bug 21555 and 16450.
---
 netwerk/protocol/http/nsHttpChannel.cpp | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/netwerk/protocol/http/nsHttpChannel.cpp 
b/netwerk/protocol/http/nsHttpChannel.cpp
index 3a9a126..e571394 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -6558,8 +6558,12 @@ nsHttpChannel::RemoveAuthorizationHeaderIfAppropriate()
 nsresult rv = thirdPartySvc->GetFirstPartyURIFromChannel(this, false,
getter_AddRefs(firstPartyURI));
 if (NS_SUCCEEDED(rv) && firstPartyURI) {
-isAuthAllowed = (mURI == firstPartyURI)
-|| HostPartIsTheSame(firstPartyURI);
+bool isThirdParty;
+rv = thirdPartySvc->IsThirdPartyURI(firstPartyURI, mURI, 
);
+if (NS_SUCCEEDED(rv)) {
+// Prevent third-party requests from sending auth tokens.
+isAuthAllowed = !isThirdParty;
+}
 } else {
 // We failed to get the first party URI. Check the document URI so
 // that we can allow authentication if the request originates from the

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor-browser/tor-browser-45.8.0esr-7.0-1] fixup! Bug 13900: Remove 3rd party HTTP auth tokens.

2017-03-08 Thread gk 
commit 340377b882408b5de24ff69bcd76e774d9844e4c
Author: Arthur Edelstein 
Date:   Fri Mar 3 21:47:20 2017 -0800

fixup! Bug 13900: Remove 3rd party HTTP auth tokens.

The HostPartIsTheSame() is too strict about deciding what is first party.
Instead we use IsThirdPartyURI() to check if the request is from
the first party. Specifically, it considers an XHR to api.twitter.com
from a twitter.com top-level page to be first-party.

This fixes bug 21555 and 16450.
---
 netwerk/protocol/http/nsHttpChannel.cpp | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/netwerk/protocol/http/nsHttpChannel.cpp 
b/netwerk/protocol/http/nsHttpChannel.cpp
index 3a9a126..e571394 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -6558,8 +6558,12 @@ nsHttpChannel::RemoveAuthorizationHeaderIfAppropriate()
 nsresult rv = thirdPartySvc->GetFirstPartyURIFromChannel(this, false,
getter_AddRefs(firstPartyURI));
 if (NS_SUCCEEDED(rv) && firstPartyURI) {
-isAuthAllowed = (mURI == firstPartyURI)
-|| HostPartIsTheSame(firstPartyURI);
+bool isThirdParty;
+rv = thirdPartySvc->IsThirdPartyURI(firstPartyURI, mURI, 
);
+if (NS_SUCCEEDED(rv)) {
+// Prevent third-party requests from sending auth tokens.
+isAuthAllowed = !isThirdParty;
+}
 } else {
 // We failed to get the first party URI. Check the document URI so
 // that we can allow authentication if the request originates from the

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [webwml/master] Add new Tor Browser alphas: 7.0a2

2017-03-08 Thread boklm 
commit 53dfbb59c7b095e7fe73e7a74e10d1d9418e1adc
Author: Nicolas Vigier 
Date:   Wed Mar 8 11:39:27 2017 +0100

Add new Tor Browser alphas: 7.0a2
---
 include/versions.wmi   | 18 +-
 projects/torbrowser/RecommendedTBBVersions |  8 +++-
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/include/versions.wmi b/include/versions.wmi
index 1d562c8..dd07211 100644
--- a/include/versions.wmi
+++ b/include/versions.wmi
@@ -5,28 +5,28 @@
 
 maint-6.5
 6.5.1
-7.0a1
+7.0a2
 
 6.5.1
 2017-03-07
-7.0a1
-2017-01-25
+7.0a2
+2017-03-08
 
 6.5.1
 2017-03-07
 6.5.1
 2017-03-07
-7.0a1
-2017-01-25
-7.0a1
-2017-01-25
+7.0a2
+2017-03-08
+7.0a2
+2017-03-08
 
 6.5.1
 2017-03-07
 6.5.1
 2017-03-07
-7.0a1
-2017-01-25
+7.0a2
+2017-03-08
 0.0.3
 
 ../dist/torbrowser//tor-win32-.zip
diff --git a/projects/torbrowser/RecommendedTBBVersions 
b/projects/torbrowser/RecommendedTBBVersions
index ae831be..ce1375f 100644
--- a/projects/torbrowser/RecommendedTBBVersions
+++ b/projects/torbrowser/RecommendedTBBVersions
@@ -12,5 +12,11 @@
 "7.0a1-MacOS",
 "7.0a1-Windows",
 "7.0a1-hardened",
-"7.0a1-hardened-Linux"
+"7.0a1-hardened-Linux",
+"7.0a2",
+"7.0a2-Linux",
+"7.0a2-MacOS",
+"7.0a2-Windows",
+"7.0a2-hardened",
+"7.0a2-hardened-Linux"
 ]

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [metrics-web/master] Update news.

2017-03-08 Thread karsten 
commit ec99b4e3e522b25bf57dae4c3a23b4ac08143e70
Author: Karsten Loesing 
Date:   Wed Mar 8 09:25:07 2017 +0100

Update news.
---
 website/etc/news.json | 13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/website/etc/news.json b/website/etc/news.json
index 3c6f6f0..2aaed53 100644
--- a/website/etc/news.json
+++ b/website/etc/news.json
@@ -394,7 +394,18 @@
 ],
 "description": "meek-azure is shut down pending migration to a new CDN 
configuration.",
 "links": [
-  "https://lists.torproject.org/pipermail/tor-project/2017-March/000981.html\;>mailing
 list post"
+  "https://lists.torproject.org/pipermail/tor-project/2017-March/000981.html\;>mailing
 list post",
+  "https://bugs.torproject.org/21342\;>ticket"
+]
+  },
+  {
+"start": "2017-03-07",
+"protocols": [
+  "meek"
+],
+"description": "Tor Browser 6.5.1 is released, containing the new 
meek-azure CDN configuration.",
+"links": [
+  "https://blog.torproject.org/blog/tor-browser-651-released\;>blog 
post"
 ]
   },
   {

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

<    1   2