[tor-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 9 17:03:18 UTC 2018
#28374: ensure RequestStorageId cannot be accessed remotely
-----------------------------------------+--------------------------
Reporter: mcs | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting,ff60-esr | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+--------------------------
Comment (by tom):
Because this is an IPC method not available to Web Content, there doesn't
seem to be any wiring to provide this to an actual website (especially
with EME disabled.)
However, there probably isn't anything that intentionally stops a
compromised content process from getting this data. (although it might not
work just because EME is disabled, but I'm unsure.)
I recommend we make this one of the bugs blocking #28147 and tackle it as
part of future 'harden the content process' work.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28374#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list