[tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 11 04:35:29 UTC 2016
#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
Reporter: holizz | Owner: tbb-
Type: defect | team
Priority: Very High | Status:
Component: Applications/Tor Browser | needs_review
Severity: Major | Milestone:
Keywords: tbb-fingerprinting, tbb-rebase- | Version:
regression, tbb-testcase, tbb-firefox-patch, | Resolution:
TorBrowserTeam201606R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by yawning):
Replying to [comment:29 cypherpunks]:
> My original idea is that only privileged `chrome://` or `about:` pages
can initiate a redirect to the blocked resources. If there is no such
redirecting URIs accessible from content, there should be no leaks.
After looking at the documentation and the relevant specs, I'm 99.9% sure
you're correct.
`XMLHttpRequest()` will fail the same-origin check, since the request is
not coming from internal to the Firefox code (requests dispatched from
inside Firefox can bypass the check completely, but poorly written addons
are not our problem).
`Fetch()` refuses to have anything to do with redirects to non-HTTP(s)
scheme URLs. (See: 5.4 HTTP-redirect fetch).
> However, testing is needed anyway.
Yeah.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list