[tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 27 12:12:19 UTC 2016
#8725: resource:// URIs leak information
Reporter: holizz | Owner: tbb-
Type: defect | team
Priority: Very High | Status:
Component: Applications/Tor Browser | needs_review
Severity: Major | Milestone:
Keywords: tbb-fingerprinting, tbb-rebase- | Version:
regression, tbb-testcase, tbb-firefox-patch, | Resolution:
TorBrowserTeam201606R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
Comment (by gk):
Replying to [comment:32 arthuredelstein]:
> I also made a test to see if I could use redirects from content to load
resource:// or chrome:// URIs into <script> elements:
> https://arthuredelstein.github.io/tordemos/resource-locale.html
> In unpatched Firefox or TorBrowser, the redirects fail and the following
error is shown in the Browser Console:
> {{{
> Security Error: Content at https://arthuredelstein.github.io/tordemos
/resource-locale.html may not load or link to
> Security Error: Content at https://arthuredelstein.github.io/tordemos
/resource-locale.html may not load or link to
> }}}
Yes, I am not concerned with redirects breaking due to security errors. I
have not tested this but not including cross-origin loads might help here.
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list