[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs



#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
-------------------------+---------------------------
 Reporter:  xcolour      |          Owner:  tbb-team
     Type:  defect       |         Status:  closed
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:  not a bug
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+---------------------------

Comment (by cypherpunks):

 Replying to [comment:3 cypherpunks]:
 > How about substituting site-hosted pdf.js with builtin one in an iframe?
 This is interesting. Maybe NoScript surrogates would be enough?

 Interesting I said, but I actually do not like idea. You would be running
 privileged code in an unprivileged context. Need a refresher on privilege
 escalation exploits? How about these 2:
 https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
 https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

 That's a High and a Critical vuln, according to Mozilla's classification,
 in pdf.js in the last what 6-7 months? The second one was found in the
 wild:
 https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-
 wild/

 I think in Tor Browser we should prefer security over convenience. And
 what kind of inconvenience are we talking about here? This is not Tor
 Browser outright blocking all canvas code. Is presenting a prompt, in some
 accesses, and you could dismiss it as well.

 In this case, if you decide to disallow it (the finer choice), what's the
 impact? yurydelendik tells us in
 https://github.com/mozilla/pdf.js/issues/7026#issuecomment-188802006: "it
 will affect the display quality for some old windows machines". Who the
 hell cares? :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs