[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8292 [Firefox Patch Issues]: Alter behavior of getFirstPartyURI and consumers

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #8292 [Firefox Patch Issues]: Alter behavior of getFirstPartyURI and consumers
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 24 May 2013 20:20:26 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 24 May 2013 16:20:38 -0400
In-reply-to: <049.c142e64c74b80a707c1b497b55dc3f8d@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.c142e64c74b80a707c1b497b55dc3f8d@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#8292: Alter behavior of getFirstPartyURI and consumers
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry
     Type:  enhancement           |         Status:  new      
 Priority:  major                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:  tbb-linkability       |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------

Comment(by mcs):

 Kathy Brade and I started to work on this.  After changing
 mozIFirstPartyUtil.getFirstPartyURI() to return an error and log to the
 Error Console when the URI lacks a host, we discovered a couple of
 problems:

 1) The image cache code generates a lot of calls to getFirstPartyURI()
 that involve chrome: and moz-anno: URIs, none of which have hosts.  This
 results in excessive logging to the Error Console.  For example, typing a
 single "a" in the URL bar causes getFirstPartyURI() to log 13 messages in
 my browser (due to chrome image load requests and favicon loads caused by
 browser history access).

 2) Some built-in pages use DOM Storage, e.g., about:home.  We previously
 allowed documents whose URIs lacked hosts to use local storage (no
 isolation).  With the change outlined in this bug, that is no longer
 allowed.  That might be OK, except the pages are not coded to handle that
 situation.  E.g., about:home encounters an uncaught exception in its JS
 code and then fails to initialize its search feature.

 Therefore, I think we need to come up with a more nuanced approach.  Can
 we allow trusted pages to use facilities such as DOM Storage and the image
 cache even though their URIs lack hosts?  Of course there would be no
 isolation for such pages, but that seems OK to me.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8292#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #8933 [Company]: Do a security audit of Onion Browser
Next by Author: [tor-bugs] #8959 [- Select a component]: Debian (deb) package apt.torproject.org-keyring is missing in Raring
Previous by thread: Re: [tor-bugs] #8721 [EFF-HTTPS Everywhere]: Cox account admin broken
Next by thread: Re: [tor-bugs] #8292 [Firefox Patch Issues]: Alter behavior of getFirstPartyURI and consumers
Index(es):
- Author
- Thread