[tor-bugs] #15502 [Tor Browser]: URL.createObjectURL() considered harmful

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 16 18:48:27 UTC 2015 

#15502: URL.createObjectURL() considered harmful
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  arthuredelstein
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-linkability, tbb-newnym,
  Browser                |  tbb-4.5-alpha, TorBrowserTeam201504R,
   Resolution:           |  MikePerry201504R
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Replying to [comment:15 mikeperry]:
 > The tor-browser patch looks mostly ok to me, though I am a little
 worried about the use of nsContentUtils::GetDocumentFromCaller() in
 ThirdPartyUtil::GetFirstPartyHostFromCaller(). It is reminding me of
 #13027. We ultimately discovered that WebWorkers were given the correct
 Javascript context after creation, but can we explicitly test WebWorkers
 to ensure they can't access blob uris from different first party domains
 as well, just to be sure? Probably also wise to make this an actual in-
 tree test to ensure that it doesn't change on us in ff38-esr.
 >
 > I think it might also be helpful to have mcs+brade to weigh in on this
 approach.

 The use of nsContentUtils::GetDocumentFromCaller() caught our eye as well
 since we were not aware that such a call existed.  It is only used in a
 couple of unimportant places in the Mozilla code, but Kathy and I think it
 will do the right thing as long as there is a JS context in the call
 stack.  It would be nice to use a different approach, but it seems like
 the BlobURI implementation is really designed without "same origin" or
 other concepts in mind.  I wonder if anyone at Mozilla did a security
 review of the design.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15502#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list