Closed Bug 1744290 Opened 4 years ago Closed 3 years ago

.onion domains should never be sent as referrers

Categories

(Core :: Privacy: Anti-Tracking, enhancement)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1816916

People

(Reporter: mhoye, Unassigned)

References

Details

(Keywords: sec-want)

Glancing over my referrer logs, I can see a number of referrers coming from .onion domains. My sample size is small, but 100% of them involve UA strings that correspond with Firefox ESR releases.

For example:

access:[redacted IP addr] - - [30/Nov/2021:00:41:31 -0500] "GET /blarg/2019/09/06/forward-motion/ HTTP/1.1" 200 50125 "http://[redacted]j.onion/[redacted]" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" 1050937

While this is arguably permitted for http->http transactions per the spec, this should probably never be allowed to happen.

Group: core-security → dom-core-security

Gecko already supports a pref that the Tor browser uses: network.http.referer.hideOnionSource (currently false in Firefox)

Making this change is easy if we decide to do it.

Type: defect → enhancement
Keywords: sec-want

At the moment we're not sure if these are Firefox UAs or Tor Browser. Firefox might exaplin it, Tor Browser would mean a bug somewhere.

Mike would you be able narrow it down for us?

Flags: needinfo?(mhoye)

This was talked about in bug 1742405 comment 4, but that bug was really about the Origin: header and CORS requests from .onion sites so this could be a bug for the actual pref flip

See Also: → 1742405

Of the ten hits in my logs going back to November 2nd, all of them are either FF60 or 78, and all of them are exit relays per the exonerator tool.

Flags: needinfo?(mhoye)

Is there any good reason for network.http.referer.hideOnionSource to not be true by default in Firefox? This would help keep onion services private which are being visited by users with custom Firefox + system tor setups.

Oh yeah, I probably should have attached the patch to this. I don't think this bug is actionable in any way other than Bug 1816916, so I'm going to dupe it there.

Status: NEW → RESOLVED
Closed: 3 years ago
Duplicate of bug: 1816916
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.