drag-n-drop bypasses tor on Unity
Requests for drag-and-drop thumbnails in Tor Browser is not sent through the Tor network, but instead plain-text HTTP request.
How to reproduce:
- Download and start Tor Browser Bundle version 2.2.34-2 (current, this one)
- Start up Wireshark and start logging your network interactively
- Using the Tor Browser, visit "www.gnome.org" (or any other HTTP site)
- See Wireshark sending all traffic encrypted to various Tor nodes
- When the site have loaded, drag the big image on the site
- See Wireshark logging a DNS request for "www.gnome.org" with reply
- See Wireshark logging a HTTP HEAD request for "/wp-content/uploads/2011/09/gnome-3.2.png" on host "www.gnome.org", sending this directly unencrypted to the IP returned from the DNS request.