Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
 Reporter:  holizz                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  Very High                            |         Status:
Component:  Applications/Tor Browser             |  needs_review
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-      |        Version:
  regression, tbb-testcase, tbb-firefox-patch,   |     Resolution:
  TorBrowserTeam201606R                          |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by yawning):

 Replying to [comment:27 gk]:
 > {{{
 > The second one is that shouldLoad is not invoked for redirects. You only
 get one call, for the first URL requested. If you let it pass, it can
 redirect anywhere without you noticing it.
 > }}}
 > https://developer.mozilla.org/en-US/Add-
 ons/Overlay_Extensions/XUL_School/Intercepting_Page_Loads
 >
 > So, my first guess would be that redirects can bypass this blocking
 mechanism. Did anybody test this?

 I have not.  If `nsIWebProgressListener2` fire, at the right time for
 chrome/resource URLs that may be an option here (specifically we want the
 `onRefreshAttempted()` callback).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs