[tbb-bugs] #15502 [Tor Browser]: Blob URIs considered harmful
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Mar 29 19:38:30 UTC 2015
#15502: Blob URIs considered harmful
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: new
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-linkability, tbb-newnym,
Browser | TorBrowserTeam201503, tbb-4.5-alpha
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by gk):
* cc: gk (added)
Comment:
Replying to [ticket:15502 mikeperry]:
> Here's an example blob URI creation script that gives you a blob uri
that you can throw in the URL bar. It will then execute scripts (pop up an
alert) even if you have instructed NoScript to disable scripts globally:
> https://people.torproject.org/~mikeperry/transient/tests/blob-uri-
creation.html
Interesting, but setting the security slider to "high" does not let the
blob: URI execute it seems. Nevertheless, this is pretty scary. I think
the safest for 4.5 is to just disable the support for that scheme. We
could then think about handling all the related issues properly.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15502#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list