[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4286 [EFF-HTTPS Everywhere]: We cannot detect JavaScript redirection loops

#4286: We cannot detect JavaScript redirection loops
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  pde
     Type:  defect                |         Status:  new
 Priority:  normal                |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------

Comment(by mikeperry):

 Hrmm, yeah, in the fourthparty code, content<->XUL IPC seems to flow
 through the Jetpack 'port' object (see
 https://github.com/fourthparty/fourthparty/blob/038c04fa90c76913754f7877337b8b72f4eadbb5/extension/data/content.js).

 I think this is the Jetpack doc describing the IPC between content script
 and XUL context: https://addons.mozilla.org/en-US/developers/docs/sdk/1.4
 /dev-guide/addon-development/web-content.html

 How much overhead is Jetpack, I wonder? Is it stupid to start using it
 just for content scripts?

 Back when I wrote Torbutton's javascript content hooks, this 'port' IPC
 channel didn't exist, and this type of 2-way page-to-XUL communication was
 fraught with risk of code execution bugs due to XUL XSS.. If we decide to
 re-implement it, we should do so with caution to make sure we don't miss
 anything.

 On the other hand, we'll need to make sure that the Jetpack injection
 loads early enough, and in all child iframes (including javascript: urls).
 This was a huge pain with Torbutton, and I had to write a content policy-
 based injector path to get all cases.. So it's also possible JetPack does
 a sloppy job by our standards :/.

 Before we even get to that point, though, we need to make sure that
 window.location, meta tag creation, and form-submit based redirects (and
 others?) are all hookable with Object.defineProperty and/or other
 mechanisms. Unfortunately, when I try a quick test in the web developer
 console, my Firefox crashes....

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4286#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs