Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #20195
Closed (moved) (moved)
Open
Issue created Sep 21, 2016 by Yawning Angel@yawning

HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.

The HTTPs request made to check.torproject.org as part of startup doesn't use domain isolation at all.

How to reproduce:

  1. Monitor the SOCKS traffic (or circuit list).
  2. Start Tor Browser, get to the about:tor page.
  3. Gasp in horror.

Tested with 6.0.5.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking