[tor-bugs] #13818 [Tor Browser]: [PATCH] Active tab looks ugly (inherits system color scheme only partially)

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 14 19:11:46 UTC 2015 

#13818: [PATCH] Active tab looks ugly (inherits system color scheme only partially)
-----------------------------+-----------------------------------
     Reporter:  gentoo_root  |      Owner:  tbb-team
         Type:  defect       |     Status:  needs_review
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  TorBrowserTeam201501R
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------------------------

Comment (by mcs):

 OK, as an experiment Kathy and I modified
 nsScriptSecurityManager::CheckLoadURIWithPrincipal() to block access to
 chrome:, resource:, and moz-icon: URLs from content (without our change,
 access is allowed to URLs that are "whitelisted" via the
 contentaccessible=yes flag chrome registration flag).  So what did we
 break?  Some testing on Mac OS revealed the following:
 * FTP listings are very ugly (no icons, no styling).
 * Fav icons are OK.
 * View source is ugly (no stylesheet).
 * The feed reader is broken (JS and CSS not loaded).
 * pdf.js seems to work OK.  This is because the security principal is
 resource://pdf.js/web/viewer.html.  In contrast, the security principal
 that is passed into CheckLoadURIWithPrincipal() when loading an FTP
 listing is the ftp: URL itself.

 So... Kathy and I conclude that a lot of things will break if we
 completely disable access to chrome:, resource:, and moz-icon: from
 content.  I think it would be a good idea for Mozilla to clean up their
 architecture and code in this area; it would be a lot for us to take on.

 I see that Mike filed #14205 for the general issue of dependance upon
 IsCallerChrome() and presumably related calls such as
 presContext->IsChrome().

 For this specific bug, Kathy and I think the original patch is OK and
 should be merged.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13818#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list