Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #16673

Closed (moved)
Open
Opened Jul 27, 2015 by Mike Perry@mikeperry

Isolate/Disable HTTP Alternative-Services

HTTP Alternative Services header (https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-06) allows websites to tell clients to cache destination and protocol settings for certain websites.

While this header enables things like opportunistic encryption, http2 discovery, etc, unfortunately it is both a supercookie vector and a third party tracking vector. Luckily for us, it was disabled for Firefox 38 because the initial implementation also enabled URL bar spoofing vulnerabilities.

However, for Firefox 45, we will either need to isolate it, or ensure it remains disabled.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#16673