Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

leaks information to Google Images search history #26

twoprops opened this Issue Apr 21, 2013 · 2 comments


None yet
3 participants

(1) Open Onion Browser (2) type 'https://google.com' (3) tap the Images link (4) tap in the search box (5) type a search term (6) tap Search (7) ##do stuff## (8) repeat 1-4 and the search history will show your previous search(es).

do stuff## includes navigating away from the page; choosing new identity; quitting and returning to Onion Browser; quitting Onion Browser, killing its task, and restarting it. It does seem to clear the search history if you power off iPhone.

Somehow, Google Images is able to track you through different identities and even killing/restarting the app, even with cookies disabled.

If choosing a new identity causes Google to redirect you to a country-specific page (eg. ...google.de), then the search history won't show up (but it's still there).

Browser settings:
block all cookies
no spoofing
pipelining enabled
no DNT header
not using bridges

Bobsson commented Oct 2, 2013

I'm encountering this issue with all google searches, not just images. Additionally, once I do a search on a country-specific google page, I'm stuck going to that country's page by default.


mtigas commented Oct 9, 2013

Possibly due to HTML5 "Application Cache" (different from standard browser caching of resources). Not 100% sure if [NSURLCache removeAllCachedResponses] — which is one of the things Onion Browser fires off to clear data — handles this.

Possible fix that I’ll try implementing this week:

@mtigas mtigas closed this in dffce70 Oct 10, 2013

mtigas pushed a commit that referenced this issue Apr 20, 2017

CKHTTPConnection: finally fix keep-alive issue and re-enable
We can only disable weak ciphers if we're in kSSLIdle, which we
won't be in if we're re-using a persistent connection that has
already negotiated ciphers.

Now that we can use persistent connections reliably, remove the
conditional define.

Also, while we're here, remove the block setting TLS 1.0 and 1.1.
iOS 10 doesn't do SSL 2/3 anymore, so there's no need to specify any
settings unless the host has TLS 1.2 required.

closes #26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment