[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #15562 [Tor Browser]: SharedWorker (and probably ServiceWorker) violate first party isolation
#15562: SharedWorker (and probably ServiceWorker) violate first party isolation
-----------------------------+--------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: tbb-linkability | Actual Points:
Parent ID: | Points:
-----------------------------+--------------------------
Running a SharedWorker from an iframe allows passing of information via
JavaScript between two websites. Here's a demo, where two tabs from
different domains share uniquely identifying information. The first tab
generates a random number, and the second tab displays the same random
number.
https://arthuredelstein.github.io/tordemos/sharedworker-parent.html
I haven't looked at ServiceWorkers closely yet, but they appear to offer
similar (possibly worse) ways to violate first party isolation.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15562>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs