[tor-bugs] #18913 [Applications/Tor Browser]: about:tor should not have chrome privileges

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 21 11:28:29 UTC 2017 

#18913: about:tor should not have chrome privileges
--------------------------------------------+------------------------------
 Reporter:  mcs                             |          Owner:  mcs
     Type:  defect                          |         Status:
                                            |  needs_revision
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201706  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+------------------------------
Changes (by gk):

 * keywords:  ff52-esr, TorBrowserTeam201706R => ff52-esr,
     TorBrowserTeam201706
 * status:  needs_review => needs_revision


Comment:

 Replying to [comment:7 mcs]:
 > Here is a patch for review:
 >
 https://gitweb.torproject.org/user/brade/torbutton.git/commit/?h=bug18913-01&id=984af558af58bb8715af72c4811acc7fc4253bc1
 > This change fixes #21948 and #22525 as well, so it would be great to
 include it in a Tor Browser release soon. While the patch is somewhat
 large, that is mainly because we had to move a lot of code out of
 torbutton.js into the new aboutTor-content.js content script (so it can
 run in the content process where the about:tor DOM is accessible).

 Looks good to me, thanks! Just some nits:
 {{{
 +  // process that is only available here (in the chrome process). It is
 sent
 +  // sent to the content process when an about:tor window is opened and
 in
 }}}
 just one "sent"
 {{{
 +   kAboutTorMessages: [ "AboutTor:ChromeData", "AboutTor:ToolbarData" ],
 +
 +   get isAboutTor() {
 +    return content.document.documentURI.toLowerCase() == "about:tor";
 }}}
 Indentation

 "the Tor Button item's x coordinate" -> "the x coordinate of Torbutton's
 toolbar item"

 "torbutton toolbar item" -> "Torbutton toolbar item"

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18913#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list