[tor-bugs] #23745 [Applications/Tor Browser]: Tab crashes when using Tor Browser to access Google Drive

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 4 23:44:20 UTC 2017


#23745: Tab crashes when using Tor Browser to access Google Drive
-------------------------------------------------+-------------------------
 Reporter:  angelotheram2                        |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-crash, tbb-e10s,                 |  Actual Points:
  TorBrowserTeam201710                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 I was able to reliably reproduce this crash and by bisecting our patches I
 tracked it down to our indexedDB patch:
 https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-
 browser-52.4.0esr-7.5-1&id=31348e47a340494c4002b43d8fb509689f8f7e63
 The work for this patch and its predecessor are at #21308 and #16528
 respectively.

 I also confirmed that if I set "dom.indexedDB.enabled" to true, the
 browser no longer crashes. (Flipping this pref is not recommended for
 users, because of privacy/tracking implications. I mention it only for
 debugging purposes.)

 gk observed that the crash is being caused by a block of code in
 ActorsParent.cpp:
 {{{
 if (principalInfo.type() != PrincipalInfo::TSystemPrincipalInfo &&
     NS_WARN_IF(!Preferences::GetBool(kPrefIndexedDBEnabled, false))) {
   if (aContentParent) {
     // The DOM in the other process should have kept us from receiving any
     // indexedDB messages so assume that the child is misbehaving.
     aContentParent->KillHard("IndexedDB CheckPermission 1");
   }
   return NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR;
 }
 }}}

 But this does not happen if "dom.indexedDB.enabled" is true. I have yet to
 investigate why.

 In the meantime, I am trying to work out what our strategy should be for
 indexedDB.
 * indexedDB is a supercookie vector and has not yet been patched to
 respect first-party isolation in Tor Browser or Firefox.
 * There is [https://bugzilla.mozilla.org/show_bug.cgi?id=781982 a Mozilla
 ticket] for enabling a memory-only indexeddb in Firefox but this has not
 been resolved. In other words, indexeddb always writes to disk.
 * As [https://trac.torproject.org/projects/tor/ticket/16528#comment:7
 mikperry pointed out], there wasn't a good way to programmatically clear
 indexedDB databases. That issue may have been recently fixed in
 [https://bugzilla.mozilla.org/show_bug.cgi?id=1047098 Firefox] and we
 should investigate if we can use this in New Identity.
 * In PBM, indexedDB is already effectively disabled, even when
 "dom.indexedDB.enabled" is true.
 * Modernizr was [https://github.com/Modernizr/Modernizr/pull/2030 updated]
 a year ago to correctly detect the absence of indexedDB in Firefox PBM.
 So here are my thoughts. We should of course continue to disable indexedDB
 in PBM until it can be
 [https://bugzilla.mozilla.org/show_bug.cgi?id=781982 memory-only],
 [https://bugzilla.mozilla.org/show_bug.cgi?id=1047098 programmatically
 cleared], and [https://bugzilla.mozilla.org/show_bug.cgi?id=1405884
 isolated by first party].

 There was a concern that some users might disable PBM and then New
 Identity would fail to wipe indexedDB. Do we actually want to claim to
 protect users who turn off PBM? That seems possibly out of scope to me. If
 that's the case, it seems to me we can rely on indexedDB being disabled in
 PBM by Firefox's built-in mechanism and drop the #21308 patch?

 But if we want to protect non-PBM users, then we should investigate
 whether New Identity can clear indexedDB (#23768). That ticket would be
 useful in the future if we wanted to enable indexedDB in PBM as well.

 If instead we want to ensure we have disabled indexedDB in non-PBM windows
 as well, then I would suggest writing a new patch that simply stops
 exposing indexedDB to content by modifying [https://dxr.mozilla.org
 /mozilla-
 esr52/rev/8abd6da9603d45bb1e29994a480e10affbb8c7d8/dom/webidl/WindowOrWorkerGlobalScope.webidl#61
 dom/webidl/WindowOrWorkGlobalScope.webidl], so indexedDB is not exposed
 when the pref "dom.indexedDB.enabled" is false.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23745#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list