[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21685 [Applications/Tor Browser]: Remote New Tab pages have access to internal browser APIs in Firefox 52

Subject: Re: [tor-bugs] #21685 [Applications/Tor Browser]: Remote New Tab pages have access to internal browser APIs in Firefox 52
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 12 May 2017 08:38:08 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 12 May 2017 04:38:20 -0400
In-reply-to: <042.b051ef7dc749b558a8b6c77220201e8d@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.b051ef7dc749b558a8b6c77220201e8d@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#21685: Remote New Tab pages have access to internal browser APIs in Firefox 52
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must-alpha,        |  Actual Points:
  TorBrowserTeam201705R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):

 * status:  new => needs_review
 * keywords:  ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705 =>
     ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705R


Comment:

 The `browser.newtabpage.remote` pref is set to false in Firefox 52ESR by
 default. I looked at the relevant code and tried toggling the pref
 manually and I am convinced that remote pages are disabled in new tabs
 when the pref is false. So I don't think we need to worry about these
 additional APIs being accessed by remote pages.

 We can also set the pref to false ourselves (redundantly) to be sure this
 doesn't change in the future. Here's a patch that does that:
 https://github.com/arthuredelstein/tor-browser/commit/21685

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21685#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #22158 [Applications/Tor Browser]: Tor browser core dump on Arch Linux
Next by Author: Re: [tor-bugs] #6504 [Core Tor/Tor]: Support Windows environment variables in HiddenServiceDir
Previous by thread: Re: [tor-bugs] #19934 [Metrics/CollecTor]: CollecTor should use new metrics-lib json classes
Next by thread: Re: [tor-bugs] #21685 [Applications/Tor Browser]: Remote New Tab pages have access to internal browser APIs in Firefox 52
Index(es):
- Author
- Thread