Re: [tor-bugs] #16620 [Tor Browser]: Transform window.name handling into Firefox patch

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#16620: Transform window.name handling into Firefox patch
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:  mcs
     Type:  defect                               |         Status:
 Priority:  Medium                               |  assigned
Component:  Tor Browser                          |      Milestone:
 Severity:  Normal                               |        Version:
 Keywords:  tbb-torbutton-conversion,            |     Resolution:
  TorBrowserTeam201510                           |  Actual Points:
Parent ID:                                       |         Points:
  Sponsor:  SponsorU                             |
-------------------------------------------------+-------------------------

Comment (by mcs):

 Replying to [comment:9 arthuredelstein]:
 > Now I've read 4.5.12. :) I tried some more experiments, each of which I
 started by going to `https://www.torproject.org` and entering `window.name
 = "test";` in the content page JS console, then browsing to either
 `https://trac.torproject.org` (trac) or
 `https://www.internetdefenseleague.org` (idl), either by entering the
 latter address in the URL bar or clicking on a link ("Tor Wiki" or the IDL
 logo). Here are the results:
 > ...

 Thanks for doing this!

 > I guess it's not entirely clear to me what the best choice is. Chrome's
 behavior seems possibly the least disruptive choice. It pains me that
 content can observe what third-party links a user clicks on and can send
 data to the third-party site, but as explained in the Tor Browser Design
 document, there are ways besides window.name to pass on that information
 via a link click.
 >
 > On the other hand, as Mark and Kathy point out, what Mozilla is willing
 to accept is a big consideration.

 I suspect it will be difficult to get Mozilla to accept any change (due to
 potential breakage of sites). But I don't really know.

 For test case 8, it isn't clear what criteria Chrome used to decide to
 clear window.name. Maybe it is comparing top-level domains? We would need
 to look at the Chromium code and try to match Google's behavior.

 Since Kathy and I are in favor of breaking this link between windows more
 aggressively, we prefer our current patch's behavior or the existing TB
 5.0.3 behavior. Kathy and I will look at how difficult it would be to
 create a C++ patch that mimics the 5.0.3 behavior.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16620#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs