[tbb-bugs] #26540 [Applications/Tor Browser]: Enabling pdfjs disableRange option prevents pdfs from loading
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jul 14 01:56:56 UTC 2018
#26540: Enabling pdfjs disableRange option prevents pdfs from loading
---------------------------------------------+-----------------------------
Reporter: pospeselr | Owner: pospeselr
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff60-esr, TorBrowserTeam201807R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+-----------------------------
Changes (by pospeselr):
* keywords: ff60-esr, TorBrowserTeam201807 => ff60-esr,
TorBrowserTeam201807R
* status: needs_information => needs_review
Comment:
Two patches, one for tor-browser and one for torbutton.
The patches take an approach of 'smuggling' the first party domain on the
existing nsIPrivateBrowsingChannel used by XMLHttpRequest. Basically, the
first-party domain is known when the range-based request is created, but
since it's created from within chrome js code, it gets the System
Principal which throws out all that info. So, in pdfjs we set the
firstPartyDomain on the channel object which is then read by torbutton.
If torbutton fails to find a firstPartyDomain in the usual way from the
OriginAttributes, it will try to read it off of the channel directly.
With this smuggling hack in place, we should be able to fix any other
'XMLHttpRequest-created-in-System-Principal' first-party isolation issues
we come across.
Currently doing an RBM build with the patches applied just to make sure it
all works as expected without hacks.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26540#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list