[tor-bugs] #18741 [Applications/Tor Browser]: OCSP and favicon isolation is only partly working in ESR 45

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 21 15:46:46 UTC 2016 

#18741: OCSP and favicon isolation is only partly working in ESR 45
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_information
 Severity:  Major                                |      Milestone:
 Keywords:  ff45-esr, tbb-6.0a5,                 |        Version:
  TorBrowserTeam201604R                          |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by mcs):

 * status:  needs_review => needs_information


Comment:

 Replying to [comment:8 arthuredelstein]:
 > OK, here's the new branch. I tested on Ubuntu and got all favicon and
 OCSP requests running through the first party domain:
 > https://github.com/arthuredelstein/tor-browser/commits/16326+3
 > Note there are three commits here.
 > * 483bd1684d437f0e03743b9573990240d77e8acc adds a fix for #16326
 > * 4117c6b544e4fba93d192262aeabc0be4f38c4d7 fixes favicon cache and
 network isolation

 Can you explain why the above patch is needed? Why aren't we passing the
 correct aNode in all cases? I am worried that we will poke around in the
 ancestor elements looking for a "firstparty" attribute in a lot more cases
 now, and I am not sure what the implications are (but I have not run the
 code yet).

 > * 8317e098f0b880eded1301fe40e3e9fd1b813fc3 adds network isolation
 testing to our cache isolation regression test patch

 It would have helped me if there was a comment inside the
 observeChannels() callback that explained how the check worked, e.g.,
 {{{
 // All "thirdPartyChild" resources are loaded from example.net, so we
 expect
 // the first party host to be .com or .org.
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18741#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list