[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #22501 [Applications/Tor Browser]: Requests via javascript: violate FPI



#22501: Requests via javascript: violate FPI
--------------------------------------+---------------------------
 Reporter:  cypherpunks               |          Owner:  pospeselr
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-linkability           |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by pospeselr):

 So the problem here is NoScript with 'noscript.global' preference enabled
 (hence why only happens when in Medium or Higher security setting).

 When an <a> element is clicked and the href attribute starts with
 'javascript:' NoScript tries to heuristically extract a URI from the
 source by looking for a string between " or ' characters that does not
 contain invalid URI characters (
 https://github.com/avian2/noscript/blob/8e12f5ce4f2ddf169da3867ca80323cbbd789948/xpi/chrome/content/noscript/Main.js#L4168
 ) and uses that as the href string instead, passing this new href on to an
 XMLHttpRequest at which point everything happens as normal.

 It will interpret the href as relative to the document's URI, unless the
 href is itself an absolute URL (per https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIIOService#newURI() ).

 This has some really cool consequences such that this <a> element will go
 to github when clicked with NoScript enabled:

 <a href="javascript:/* code from 'http://www.github.com' */
 window.alert('Hello!');">Hello!</a>

 proof: https://pste.eu/p/pWdf.html

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22501#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs