[tor-bugs] #2819 [Torbutton]: Removing JS hooks in FF4
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Mar 30 19:49:34 UTC 2011
#2819: Removing JS hooks in FF4
-----------------------+----------------------------------------------------
Reporter: gk | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Torbutton | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Comment(by gk):
Okay, I just read the comment in jshooks.js today and saw that the
commented window.__proto__ = null is causing the issues. Furthermore, I
recognized that this problem was already uncovered by Greogory Fleischer
some years ago. Nevertheless, I found a solution for fixing it. You have
to split the hooks depending on the Firefox version (fun, I know). If the
user has a FF3 you may set window.__proto__ = null as usual. If you have a
FF4 you do not do this but use the Object.defineProperty with configurable
set to false. It's ES5 stuff available in FF4. The code would then be
something like:
Object.defineProperty(window.__proto__, "innerWidth", {
get: function() { return Math.round(origWidth/50.0)*50;},
configurable: false});
in order to fake the innerWidth property. I just tested it and it seems to
work. (And yes, an attacker is not able to revert this using things like
Object.defineProperty(foo, "bar", { configurable: true}).)
N.B.: I just see that Trac has problems displaying the proto property but
I guess you know what I am referring to above...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2819#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list