[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information
#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
Reporter: holizz | Owner: tbb-
Type: defect | team
Priority: Very High | Status:
Component: Applications/Tor Browser | needs_review
Severity: Major | Milestone:
Keywords: tbb-fingerprinting, tbb-rebase- | Version:
regression, tbb-testcase, tbb-firefox-patch, | Resolution:
TorBrowserTeam201606R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by yawning):
Replying to [comment:29 cypherpunks]:
> My original idea is that only privileged `chrome://` or `about:` pages
can initiate a redirect to the blocked resources. If there is no such
redirecting URIs accessible from content, there should be no leaks.
After looking at the documentation and the relevant specs, I'm 99.9% sure
you're correct.
`XMLHttpRequest()` will fail the same-origin check, since the request is
not coming from internal to the Firefox code (requests dispatched from
inside Firefox can bypass the check completely, but poorly written addons
are not our problem).
`Fetch()` refuses to have anything to do with redirects to non-HTTP(s)
scheme URLs. (See: 5.4 HTTP-redirect fetch).
> However, testing is needed anyway.
Yeah.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs