[tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 28 22:04:07 UTC 2016
#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
Reporter: holizz | Owner: tbb-
Type: defect | team
Priority: Very High | Status:
Component: Applications/Tor Browser | needs_review
Severity: Major | Milestone:
Keywords: tbb-fingerprinting, tbb-rebase- | Version:
regression, tbb-testcase, tbb-firefox-patch, | Resolution:
TorBrowserTeam201607R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by mikeperry):
* cc: boklm (added)
Comment:
Couple points:
1. I think it *might* have been better to use http-on-modify-request here
rather than both the content policy and the response listener, but you
might also not have as much information there about the source content
url. Maybe this doesn't matter so much, since what we really want is a
direct Firefox patch. The extra observers will have a perf cost, though.
2. Given that we want to replace this by a direct patch, we should turn
arthur's https://arthuredelstein.github.io/tordemos/resource-locale.html
into a Tor Browser test of some kind to verify that future versions behave
the same way. Boklm, can you handle that? Also, please add a test for
https://trac.torproject.org/projects/tor/ticket/8725#comment:38 about the
nested schemes. We should test that too.
Otherwise, I think this is OK, and I agree it is an improvement. For now,
I will merge this into the torbutton master branch for TBB 6.5-alpha,
since it may shake a few more issues loose.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list