[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #25147 [Applications/Tor Browser]: Backport of fix shipped in Firefox 58.0.1?
#25147: Backport of fix shipped in Firefox 58.0.1?
--------------------------------------+------------------------------
Reporter: gk | Owner: pospeselr
Type: task | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201803R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------
Comment (by mcs):
Replying to [comment:5 gk]:
> Thanks, looks good to me.
Kathy and I also reviewed the backported patch and we think it is okay. We
do have a couple of questions:
* Did we look at the "depends on" bug list from
https://bugzilla.mozilla.org/show_bug.cgi?id=1432966? Maybe that explains
some of the differences between the mozilla-central patch and the release
one; for example, I just checked and the fix for
https://bugzilla.mozilla.org/show_bug.cgi?id=1433414 is present.
* The changes to `devtools/client/responsive.html/components/Browser.js`
are missing. Do we need them? I guess the equivalent file in ESR52 is
browser.js (with a lowercase-B).
> I wonder whether we have some means to find out if there are instances
of this problem that are solely on the ESR 52 branch which Mozilla did not
deem worth enough to write a defense-in-depth for. But anyway, that should
give us at least the protections available on -release.
I think the only method is to look at all occurrences of `innerHTML =`,
and that is a painful exercise. Kathy and I started that task and found
some things that are in ESR52 but not in mozilla-central. Unfortunately,
we had to give up after only getting part way through the huge list of
files that need to be examined (we stopped somewhere in the d's, just
after 'devtools'). For the record, here are the files we did find that
contain `innerHTML =` statements that look like they should be patched:
browser/base/content/newtab/sites.js
browser/components/customizableui/CustomizeMode.jsm
browser/components/syncedtabs/SyncedTabsDeckView.js
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25147#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs