#21756: HTTP Authentication data is still sent to third parties with ESR 52
based
Tor Browser
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status:
| assigned
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, TorBrowserTeam201704, | Actual Points:
tbb-7.0-must-alpha |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:7 arthuredelstein]:
> Replying to [comment:6 gk]:
> > Do you think you could come up with a test for that scenario, too, to
be extra sure that nothing is sneaking in?
>
> So my test from comment:2 is already testing if any third-party headers
are received back under a new first party. Are you interested in testing
the silent authentication scenario (with and without JS), or is there some
other characteristic of that demo you would like to test?
If you think there is no loophole where this kind of feature abuse can
subvert our defenses then feel free to close this ticket without adding a
particular test for the ip-check scenario.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
