[tor-bugs] #8292 [Firefox Patch Issues]: Alter behavior of getFirstPartyURI and consumers

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 24 20:20:26 UTC 2013 

#8292: Alter behavior of getFirstPartyURI and consumers
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry
     Type:  enhancement           |         Status:  new      
 Priority:  major                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:  tbb-linkability       |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------

Comment(by mcs):

 Kathy Brade and I started to work on this.  After changing
 mozIFirstPartyUtil.getFirstPartyURI() to return an error and log to the
 Error Console when the URI lacks a host, we discovered a couple of
 problems:

 1) The image cache code generates a lot of calls to getFirstPartyURI()
 that involve chrome: and moz-anno: URIs, none of which have hosts.  This
 results in excessive logging to the Error Console.  For example, typing a
 single "a" in the URL bar causes getFirstPartyURI() to log 13 messages in
 my browser (due to chrome image load requests and favicon loads caused by
 browser history access).

 2) Some built-in pages use DOM Storage, e.g., about:home.  We previously
 allowed documents whose URIs lacked hosts to use local storage (no
 isolation).  With the change outlined in this bug, that is no longer
 allowed.  That might be OK, except the pages are not coded to handle that
 situation.  E.g., about:home encounters an uncaught exception in its JS
 code and then fails to initialize its search feature.

 Therefore, I think we need to come up with a more nuanced approach.  Can
 we allow trusted pages to use facilities such as DOM Storage and the image
 cache even though their URIs lack hosts?  Of course there would be no
 isolation for such pages, but that seems OK to me.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8292#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list