[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #8725 [Firefox Patch Issues]: resource:// URIs leak information
#8725: resource:// URIs leak information
-------------------------------------+-------------------------------------
Reporter: holizz | Owner: mikeperry
Type: defect | Status: assigned
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-rebase-regression
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by saint):
This can be bypassed in a couple of different ways (just off the top of my
head). ÂOne is by pretending to be a non-firefox browser (as mentioned
above), which has some serious compatibility issues with sites that serve
up different code to different browsers. ÂAnother is to stripÂresource://
requests on pageload when possible.ÂThe extension set ''Disconnect''Âdoes
this for around a million users.ÂÂIn Chrome, this would be dead simple
withÂ''beforeload''Âcoupled with a background script but Firefox isn't
impossible.
Perhaps make a Firefox extension that sets an observer (using ''observer-
service'') to listen for ''http-on-modify-request''Â(literally any
request) which can detect url scheme/prefix. ÂThen block those requests.
Or respond to all of them with gibberish.
To some extent this is less of an issue because the Tor browser bundle
user group is comparatively homogenous. A larger issue is that it's
possible to detect extensions used and launch an exploit for only those
users (again, less of an issue for TBB, but large issue for internet as a
whole).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs