[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #16874 [Tor Browser]: https://sports.yahoo.com/dailyfantasy is broken with Tor Browser 5.0 on Windows
#16874: https://sports.yahoo.com/dailyfantasy is broken with Tor Browser 5.0 on
Windows
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Browser | Keywords: tbb-usability-website,
Resolution: | tbb-5.0-regression, TorBrowserTeam201509
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
I'm unfamiliar with the new Services.scriptloader.loadSubScript API, but
looking it up, it seems common for people to use
https://developer.mozilla.org/en-
US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.Sandbox with
it still, to cause the script to evaluate with content privileges..
Are you sure that what you did with XPCNativeWrapper.unwrap() instead is
safe there?
There's two main sources of risk when doing stuff like this:
1. Adding Intl.js from chrome could cause the Intl.js expandos to
actually have chrome privileges inside the content window. This seems
unlikely, but again I'm not sure.
2. The polyfill itself may be running with chrome privs when installing
itself, which means that if it touches an unwrapped window property, it
may be induced to execute content code (in the form of a getter/setter,
perhaps) that way, in a privileged setting.
For some reason, I can't seem to find any documentation on either of these
risks. Perhaps that's because this new API is magically safe no matter how
you use it? Maybe this is a question for #security on irc.mozilla.org,
and/or some testing?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16874#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs