What's the fix in the works? There is a specification being developed to allow sites to opt to remove referers (or opt to let them leak *more* information.) http://www.w3.org/TR/referrer-policy/
(If you're wondering why one would want to leak more information, it's basically to promote HTTPS adoption. One of the things holding back HTTPS adoption is the lack of Referer on a HTTPS->HTTP link, so by removing that constraint, the originating origin can move to HTTPS.) Firefox supports Referrer Policy as of 36: https://blog.mozilla.org/security/2015/01/21/meta-referrer/ so arguably HS owners have the ability to fix this themselves for users on ESR38. -tom On 6 October 2015 at 18:15, Tim Wilson-Brown - teor <teor2...@gmail.com> wrote: > Hi All, > > Currently there’s an information leak in Tor Browser: it sends referrer > headers containing .onion site addresses when the user clicks on a link on > the .onion site. > > There’s a fix in the works, but we were wondering: > Does anyone’s hidden service depend on the referrer header? > The currently favoured fix is to stop sending referrers cross-origin > (between different .onion sites, and between .onion sites and sites on the > internet). > > But this may break sites that are set up with multiple .onion addresses and > use referrers to check that requests are coming from the parent site. > (People sometimes set up different .onion sites to serve different types of > content, such as images.) > > In general, I would discourage people from using referrers in this way, > because they aren’t secure and can be faked. > > But does anyone have a compelling use case for cross-origin referrers, or is > using them at the moment? > We could include a preference if removing them would break too many sites. > > Tim > > Tim Wilson-Brown (teor) > > teor2345 at gmail dot com > PGP 968F094B > > teor at blah dot im > OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F > > > _______________________________________________ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
