[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torbutton/master] Bug 8725: Block `chrome://` based fingerprinting with nsIContentPolicy.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx, tbb-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [torbutton/master] Bug 8725: Block `chrome://` based fingerprinting with nsIContentPolicy.
From: mikeperry@xxxxxxxxxxxxxx
Date: Thu, 28 Jul 2016 22:04:57 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 28 Jul 2016 18:05:16 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit ace11cd8020aaf0136ee58aa074666f10c14abb9
Author: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Date:   Fri Jun 17 01:27:14 2016 +0000

    Bug 8725: Block `chrome://` based fingerprinting with nsIContentPolicy.
    
    Most addons do not set `contentaccessible=yes`, however behavior should
    be consistent even if such addons are installed.
    
    This does not affect any of the standard addons shipped with Tor Browser, but
    will break user installed addons that depend on actually being able to
    access `chrome://` URLs in this manner.
---
 src/components/content-policy.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/components/content-policy.js b/src/components/content-policy.js
index b4b33a7..c6c8aa9 100644
--- a/src/components/content-policy.js
+++ b/src/components/content-policy.js
@@ -24,12 +24,12 @@ ContentPolicy.prototype = {
   _xpcom_categories: [{category: "content-policy"}],
 
   shouldLoad: function(aContentType, aContentLocation, aRequestOrigin, aContext, aMimeTypeGuess, aExtra) {
-    // Accept if no content URI or scheme is not a resource.
-    if (!aContentLocation || !aContentLocation.schemeIs('resource'))
+    // Accept if no content URI or scheme is not a resource/chrome.
+    if (!aContentLocation || !(aContentLocation.schemeIs('resource') || aContentLocation.schemeIs('chrome')))
       return Ci.nsIContentPolicy.ACCEPT;
 
-    // Accept if no origin URI, or if the origin URI scheme is chrome/resource.
-    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome'))
+    // Accept if no origin URI or if origin scheme is chrome/resource/about.
+    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about'))
       return Ci.nsIContentPolicy.ACCEPT;
 
     // Accept if resource directly loaded into a tab.



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [collector/master] Checkstyle warnings down to zero.
Next by Author: [tor-commits] [torbutton/master] Bug 8725: Consistently deny redirects to browser/addon internal URLs.
Previous by thread: [tor-commits] [torbutton/master] Bug 8725: Consistently deny redirects to browser/addon internal URLs.
Next by thread: [tor-commits] [torbutton/master] Merge remote-tracking branch 'yawning/bug8725_take3'
Index(es):
- Author
- Thread