[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 26 Sep 2017 22:23:34 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 26 Sep 2017 18:23:44 -0400
In-reply-to: <051.82c94c1e509ba6b13fefeacd790439f8@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.82c94c1e509ba6b13fefeacd790439f8@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#22501: Requests via javascript: violate FPI
--------------------------------------+---------------------------
 Reporter:  cypherpunks               |          Owner:  pospeselr
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-linkability           |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by pospeselr):

 So the problem here is NoScript with 'noscript.global' preference enabled
 (hence why only happens when in Medium or Higher security setting).

 When an <a> element is clicked and the href attribute starts with
 'javascript:' NoScript tries to heuristically extract a URI from the
 source by looking for a string between " or ' characters that does not
 contain invalid URI characters (
 https://github.com/avian2/noscript/blob/8e12f5ce4f2ddf169da3867ca80323cbbd789948/xpi/chrome/content/noscript/Main.js#L4168
 ) and uses that as the href string instead, passing this new href on to an
 XMLHttpRequest at which point everything happens as normal.

 It will interpret the href as relative to the document's URI, unless the
 href is itself an absolute URL (per https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIIOService#newURI() ).

 This has some really cool consequences such that this <a> element will go
 to github when clicked with NoScript enabled:

 <a href="javascript:/* code from 'http://www.github.com' */
 window.alert('Hello!');">Hello!</a>

 proof: https://pste.eu/p/pWdf.html

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22501#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #23653 [Core Tor/Tor]: When accessing onion service with no fetchable descriptor, Tor sits around until timeout rather than hanging up
Next by Author: Re: [tor-bugs] #12541 [Core Tor/Tor]: Integrate KIST socket/circuit scheduling
Previous by thread: Re: [tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI
Next by thread: Re: [tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI
Index(es):
- Author
- Thread