1305144 - Spoof referrer when leaving a .onion domain (Tor 17334)

Status: RESOLVED FIXED

(Core :: Networking, defect)

Description

[Arthur Edelstein [:arthur]]

When Tor Browser leaves a .onion domain, it's important not to leak the .onion address, for the privacy of both the user and the onion service. In that situation, Tor Browser provides a referrer header of the destination domain.

We would like to propose uplifting this patch to Firefox. It should have no effect on standard Firefox behavior, which already shows the user an error when DNS resolution of a .onion address is attempted.

Comment 1

[Arthur Edelstein [:arthur]]

Attachment: 0001-Bug-1305144-Spoof-referrer-when-leaving-a-.onion-dom.patch

Note this patch removes a line, `currentHost = referrerHost;`
that is confusing and doesn't seem to serve a purpose.

Comment 2

[Patrick McManus [:mcmanus]]

Comment on attachment 8794394 [details] [diff] [review]
0001-Bug-1305144-Spoof-referrer-when-leaving-a-.onion-dom.patch

Review of attachment 8794394 [details] [diff] [review]:
-----------------------------------------------------------------

this seems to exceed the language of rfc 7686 re .onion

I'm still happy to take the patch under a pref set to true by tor browser that's off in firefox.

Comment 3

[Arthur Edelstein [:arthur]]

Attachment: 0001-Bug-1305144-Option-to-spoof-referrer-when-leaving-a-.patch

Thanks, Patrick! Here's a new version with the pref as requested.

Comment 4

[Daniel Veditz [:dveditz]]

I have no strong feelings, but it might be more privacy preserving if you had an empty referrer. That way the visitor could have come from typing in the url manually (or bookmark) or from a page with a referrerPolicy of no-referrer. If you spoof the destination as the referrer and the site goes to the trouble of correlating the fact that you hadn't been there before then the site knows you are likely to have come from a .onion site (or are one of the minority who set non-default prefs).

Comment 5

[Arthur Edelstein [:arthur]]

Comment on attachment 8798673 [details] [diff] [review]
0001-Bug-1305144-Option-to-spoof-referrer-when-leaving-a-.patch

Review of attachment 8798673 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to Daniel Veditz [:dveditz] from comment #4)
> I have no strong feelings, but it might be more privacy preserving if you
> had an empty referrer. That way the visitor could have come from typing in
> the url manually (or bookmark) or from a page with a referrerPolicy of
> no-referrer. If you spoof the destination as the referrer and the site goes
> to the trouble of correlating the fact that you hadn't been there before
> then the site knows you are likely to have come from a .onion site (or are
> one of the minority who set non-default prefs).

Thanks for the helpful suggestion, Dan. I'm going to cancel the review request for now and think about it.

Comment 6

[Arthur Edelstein [:arthur]]

Attachment: 0001-Bug-1305144-Option-to-hide-referrer-when-leaving-a-..patch

I took Dan's suggestion and I made a new patch that produces an empty referrer a when leaving a .onion domain.

Try result: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c3e1f381eab4939cefc6760d2803996e90e65d86&selectedJob=74092789

Comment 7

[Arthur Edelstein [:arthur]]

Thanks, Patrick!

Comment 8

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1fab7622624a
Option to hide referrer when leaving a .onion domain. r=mcmanus

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/1fab7622624a