[tor-talk] Should DOM storage really be enabled by default in TorBrowser?
Aymeric Vitte
vitteaymeric at gmail.com
Fri Jun 20 09:22:58 UTC 2014
Le 20/06/2014 10:44, Georg Koppen a écrit :
> Aymeric Vitte:
>> That's really strange, why don't you just disable it like cookies,
>> indexedDB, etc?
> Cookies are not disabled in Tor Browser (only third party cookies). And,
> oh, there is this fun bug in Firefox:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=536509
>
> http://scarybeastsecurity.blogspot.com/2009/12/bypassing-intent-of-blocking-third.html
>
> Georg
>
>
>
So the logic is: we accept non third party cookies, therefore we accept
localStorage and we suppose localStorage is disabled for third parties.
The problem is that if you block all cookies (like a Tor user should be
doing visiting sites like yt), the localStorage remains available and
bypasses cookies blocking, if you take yt, you can see things floating
in localStorage like yt-remote-device-id {id, creation_date,
expire=creation_date+1 year}, even if ephemeral (from your design) it
persists until you close your browser
And what's the point of allowing localStorage if you allow non third
party cookies?
There are bugs and unclear behavior of what happens in the main page or
in iframes, that's usual, everybody knows thhis, unclear behavior
between different options settings, and unclear behavior of blocking
options when they exist.
Your examples are the perfect illustration of this, I think at least the
users should be clearly aware of the risks and have the option to block
everything.
As I mentioned previously any type of local storage is much more
dangerous than the usual cookie-like uses, even if we should disregard
the cases where you are hacking yourself, we can not ignore the fact
that your local storage can be easily accessed by someone else if you
give him a chance
I am waiting to read your design document but from my standpoint in the
frame of the Tor Browser it should be clearly blocked.
--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
More information about the tor-talk
mailing list