[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs

Subject: Re: [tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 27 Feb 2016 21:06:47 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 27 Feb 2016 16:06:57 -0500
In-reply-to: <047.2e43d7771ebab0b76c67c8f0ee6b4638@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.2e43d7771ebab0b76c67c8f0ee6b4638@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
-------------------------+---------------------------
 Reporter:  xcolour      |          Owner:  tbb-team
     Type:  defect       |         Status:  closed
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:  not a bug
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+---------------------------

Comment (by cypherpunks):

 Replying to [comment:3 cypherpunks]:
 > How about substituting site-hosted pdf.js with builtin one in an iframe?
 This is interesting. Maybe NoScript surrogates would be enough?

 Interesting I said, but I actually do not like idea. You would be running
 privileged code in an unprivileged context. Need a refresher on privilege
 escalation exploits? How about these 2:
 https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
 https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

 That's a High and a Critical vuln, according to Mozilla's classification,
 in pdf.js in the last what 6-7 months? The second one was found in the
 wild:
 https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-
 wild/

 I think in Tor Browser we should prefer security over convenience. And
 what kind of inconvenience are we talking about here? This is not Tor
 Browser outright blocking all canvas code. Is presenting a prompt, in some
 accesses, and you could dismiss it as well.

 In this case, if you decide to disallow it (the finer choice), what's the
 impact? yurydelendik tells us in
 https://github.com/mozilla/pdf.js/issues/7026#issuecomment-188802006: "it
 will affect the display quality for some old windows machines". Who the
 hell cares? :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #16072 [Service - trac]: Stop using reCaptcha on all your services
Next by Author: Re: [tor-bugs] #16705 [Website]: Update instructions for Debian/Ubuntu
Previous by thread: Re: [tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs
Next by thread: [tor-bugs] #18391 [Tor Messenger]: Tor Messenger Error for odnoklassniki protocol
Index(es):
- Author
- Thread