[tor-bugs] #20915 [Applications/Tor Browser]: Web developer network tab breaks first-party isolation in some cases
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 7 11:02:49 UTC 2016
#20915: Web developer network tab breaks first-party isolation in some cases
-------------------------------------+-------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: ff52-esr, tbb-
Severity: Normal | linkability
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+-------------------------------------
There are rare cases where the first-part isolation breaks if the Web
developer Network tab is open. This got first reported on our blog:
https://blog.torproject.org/blog/tor-browser-65a5-released#comment-224102
Steps to reproduce (works both in the stable and the alpha series on Linux
at least):
1) Start a fresh Tor Browser and set the Torbutton log level to "3"
2) Open the Network tab in the Web developer console (Ctrl + Shift + Q)
3) Go to https://torproject.org
4) Reload the page with the arrow in the URL bar
Result:
Torbutton INFO: tor SOCKS isolation catchall:
https://www.torproject.org/images/onion-heart.png via
--unknown--:de6a28fb71abeba4febbbdde61de345e
It is actually only the request for the onion heart that is affected. And
having the Network tab open is crucial for reproducing the bug.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20915>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list