[tbb-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 16 20:45:03 UTC 2016
#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
Reporter: holizz | Owner: tbb-
Type: defect | team
Priority: Very High | Status:
Component: Applications/Tor Browser | needs_review
Severity: Major | Milestone:
Keywords: tbb-fingerprinting, tbb-rebase- | Version:
regression, tbb-testcase, tbb-firefox-patch, | Resolution:
TorBrowserTeam201606R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by arthuredelstein):
I also made a test to see if I could use redirects from content to load
resource:// or chrome:// URIs into <script> elements:
https://arthuredelstein.github.io/tordemos/resource-locale.html
In unpatched Firefox or TorBrowser, the redirects fail and the following
error is shown in the Browser Console:
{{{
Security Error: Content at https://arthuredelstein.github.io/tordemos
/resource-locale.html may not load or link to
jar:file:///Applications/Firefox.app/Contents/Resources/browser/omni.ja!/defaults/preferences
/webide-prefs.js.
Security Error: Content at https://arthuredelstein.github.io/tordemos
/resource-locale.html may not load or link to
jar:file:///Applications/Firefox.app/Contents/Resources/browser/omni.ja!/chrome/browser/content/browser/browser.xul.
}}}
Direct loading of any prefs.js file succeeds.
But with Yawning's branch, the direct loading is blocked as well. I also
read over the patches and the code looks good to me, so I would be
inclined to include it in torbutton. It would be nice to have the git
subject line start with `Bug 8725:`.
Regarding Yawning's `XXX` comment, I think it is nice to have resource:///
URIs load in tabs for debugging purposes. So unless this introduces a
vulnerability I would be inclined to leave it as is.
Ideally we would come up with a C++ Firefox patch that could be
upstreamed. But to avoid delay I think this torbutton patch is a good
stopgap.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list