[tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 25 04:08:05 UTC 2015
#13670: ensure OCSP & favicons respect URL bar domain isolation
---------------------------------+---------------------------------------
Reporter: arthuredelstein | Owner: arthuredelstein
Type: defect | Status: needs_revision
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-linkability, ff38-esr
Actual Points: | Parent ID:
Points: |
---------------------------------+---------------------------------------
Changes (by mikeperry):
* keywords: tbb-4.5-alpha, TorBrowserTeam201503R => tbb-linkability,
ff38-esr
* status: needs_review => needs_revision
Comment:
The favicon portion of this patch checks and sets an nsINode attribute
that specifies the first party. I believe this can be abused by content to
set its own attributes to circumvent our domain isolation.
I also feel that the OCSP cache isolation is too invasive - it touches too
many pieces of the code. This patch seems very unlikely to be taken by
Mozilla. We need to find a less invasive way of isolating the OCSP cache
and requests.
So that #13766 can still move forward, I pushed a Torbutton commit that
keeps the circuit dirty timeout at 10 minutes for requests that we can't
find a first party for.
We can perhaps revisit this during/after the ff38-esr rebase, but it is
too large, untested, and risky for 4.5.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list