[tor-bugs] #3010 [TorBrowserButton]: Torbutton should disable link prefetching
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 2 20:56:09 UTC 2013
#3010: Torbutton should disable link prefetching
------------------------------+---------------------------------------------
Reporter: HG2G | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone:
Component: TorBrowserButton | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Comment(by gk):
Replying to [comment:4 mikeperry]:
> My guess is this can't happen, because scripts and CSS elements won't
get evaluated until the user actually clicks on the link to render the
page.
Yes. Prefetching just downloads the resource and puts it into the cache.
See: nsPrefetchNode::OpenChannel()
> Cache isolation issues might be interesting to investigate, I guess?
Mmm... I made some basic tests with nested Iframes, images, first party
and third party loads and binding the prefetch cache entries to the domain
in the URL bar worked. BUT: Looking briefly at the code and
https://developer.mozilla.org/en-US/docs/Link_prefetching_FAQ I am
inclined to conclude that it is possible to get the cache key wrong as
there is no load context saved in the prefetch queue. Maybe that's even
exploitable by some clever attacker. I need to make some further tests and
take a more thorough look at the code...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3010#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list