Skip to content
GitLab
Closed (moved) (moved)
Issue created by Yawning Angel@yawning

HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.

The HTTPs request made to check.torproject.org as part of startup doesn't use domain isolation at all.

How to reproduce:

  1. Monitor the SOCKS traffic (or circuit list).
  2. Start Tor Browser, get to the about:tor page.
  3. Gasp in horror.

Tested with 6.0.5.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information