[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #16783 [Tor Browser]: NoScript whitelist reset is fingerprintable

Subject: [tor-bugs] #16783 [Tor Browser]: NoScript whitelist reset is fingerprintable
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 13 Aug 2015 01:08:59 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 12 Aug 2015 21:09:08 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#16783: NoScript whitelist reset is fingerprintable
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:
     Type:  defect                               |  mikeperry
 Priority:  normal                               |         Status:  new
Component:  Tor Browser                          |      Milestone:
 Keywords:  tbb-fingerprinting,                  |        Version:
  MikePerry201508, TorBrowserTeam201508,         |  Actual Points:
  tbb-5.0-regression                             |         Points:
Parent ID:                                       |
-------------------------------------------------+-------------------------
 In my haste to fix #16730 in time for 5.0, I forgot to account for the
 fact that the reset whitelist omits blob:, mediasource: and moz-safe-
 about:. Technically websites can detect this and use it to fingerprint
 users.

 We should probably add these URIs back in to the whitelist if they are
 absent, or remove them if they are present. I am leaning towards adding
 them, since I suspect mediasource: and blob: are needed by some sites
 (which is probably why Giorgio added them).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16783>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #16731 [Tor Browser]: TBB 5.0 a3/a4 fails to download a file on right click (was: TBB 5.0 a3/a4 win32 fails to download a file when right clicking url)
Next by Author: [tor-bugs] #16784 [Tor Browser]: Share button - Tor Browser 4.5.3 -> 5.0 Mozilla Updater
Previous by thread: Re: [tor-bugs] #16585 [Tor]: relay stops forwarding all traffic when client function cannot establish circuits
Next by thread: [tor-bugs] #16784 [Tor Browser]: Share button - Tor Browser 4.5.3 -> 5.0 Mozilla Updater
Index(es):
- Author
- Thread