[tor-bugs] #16607 [Tor Browser]: Allow SVG for extensions, even on "high" security level
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 20 19:25:22 UTC 2015
#16607: Allow SVG for extensions, even on "high" security level
-----------------------------+-------------------------------
Reporter: mbauer | Owner: tbb-team
Type: defect | Status: needs_information
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-usability
Actual Points: | Parent ID:
Points: |
-----------------------------+-------------------------------
Changes (by mcs):
* status: new => needs_information
Comment:
Replying to [comment:2 gk]:
> This should not happen as we only disallow SVG in content. mcs, brade
any ideas? Sounds like our old problem to differentiate exactly between
content and chrome code.
Agreed. I think a resource:// page will be recognized as content by our
SVG blocking code when it is rendered in a browser window. Whitelisting
may be risky because web pages can load objects via resource:// URLs. I
have not looked at what NoScript does for whitelisting though.
mbauer: Can you make your extension available to us for testing or
provide a test case?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16607#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list