[tbb-commits] [tor-browser-build/master] Bug 15599: Range requests used by pdfjs are not isolated to URL bar domain
gk at torproject.org
gk at torproject.org
Wed Feb 21 07:59:14 UTC 2018
commit 7db15759a31a7381d0a43b1a40373cd9f970210a
Author: Richard Pospesel <richard at torproject.org>
Date: Thu Jan 18 19:15:55 2018 -0800
Bug 15599: Range requests used by pdfjs are not isolated to URL bar domain
After much debugging and investigation, it seems that the required
information needed to drive the first-party domain cannot be accessed in
the XmlHttpRequest creation path. The JS context the part of pdf.js making
the range requests runs with does not have a reference to parent window and
associated LoadInfo information (which includes the requesting first-party
domain).
To fix the issue, we can easily disable support for range-based requests
via the pdfjs.disableRange property. However, the side-effect here is
that pages can not be read as they load; the entire pdf must be
downloaded before it can be read and interacted with.
This patch updates each platforms extension-overrides.js to change this
pref.
---
.../Data/Browser/profile.default/preferences/extension-overrides.js | 4 ++++
.../Data/Browser/profile.default/preferences/extension-overrides.js | 4 ++++
.../Data/Browser/profile.default/preferences/extension-overrides.js | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js b/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
index 54dcf91..9476edc 100644
--- a/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
+++ b/projects/tor-browser/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js
@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
pref("noscript.showVolatilePrivatePermissionsToggle", false);
pref("noscript.volatilePrivatePermissions", true);
pref("noscript.clearClick", 0);
+
+# PDF.js
+// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
+user_pref("pdfjs.disableRange", true);
diff --git a/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js b/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
index 54dcf91..9476edc 100644
--- a/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
+++ b/projects/tor-browser/Bundle-Data/mac/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
pref("noscript.showVolatilePrivatePermissionsToggle", false);
pref("noscript.volatilePrivatePermissions", true);
pref("noscript.clearClick", 0);
+
+# PDF.js
+// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
+user_pref("pdfjs.disableRange", true);
diff --git a/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js b/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js
index 54dcf91..9476edc 100644
--- a/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js
+++ b/projects/tor-browser/Bundle-Data/windows/Data/Browser/profile.default/preferences/extension-overrides.js
@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
pref("noscript.showVolatilePrivatePermissionsToggle", false);
pref("noscript.volatilePrivatePermissions", true);
pref("noscript.clearClick", 0);
+
+# PDF.js
+// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
+user_pref("pdfjs.disableRange", true);
More information about the tbb-commits
mailing list