[tor-bugs] #16775 [Tor Browser]: about:preferences is broken with security slider set to "High"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 19 20:55:35 UTC 2015
#16775: about:preferences is broken with security slider set to "High"
---------------------------+-----------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Browser | Keywords: tbb-usability, tbb-5.0-regression
Resolution: | Parent ID:
Actual Points: |
Points: |
---------------------------+-----------------------------------------------
Changes (by mcs):
* cc: gk, mikeperry (added)
Comment:
Kathy and I have concluded that a whitelisting mechanism is needed. The
most straightforward solution is to enable SVG when the URI associated
with a document has one of the following schemes:
about: chrome: resource:
Doing so will fix this ticket as well as #16607. The only downside is
that chrome: and resource: URIs can be loaded by remote web pages, which
means they would be able to trigger execution of SVG code in a limited
way. Maybe we should have another ticket to disallow that kind of load,
but overall the risk seems acceptable.
Before we proceed with a fix, Kathy and I would like opinions from other
people as to whether whitelisting is safe. gk? mikeperry?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16775#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list