ma1 pushed to branch tor-browser-128.7.0esr-14.5-1 at The Tor Project / Applications / Tor Browser

Commits: d2be2499 by Henry Wilkes at 2025-02-03T11:53:29+00:00 BB 29745: Limit remote access to content accessible resources

- - - - - 7e470c8c by Henry Wilkes at 2025-02-03T11:53:30+00:00 fixup! BB 42716: Disable unwanted about: pages

TB 43308: Remove about:logo which exposes a branding asset.

- - - - -

2 changed files:

- caps/nsScriptSecurityManager.cpp - docshell/base/nsAboutRedirector.cpp

Changes:

===================================== caps/nsScriptSecurityManager.cpp ===================================== @@ -1044,6 +1044,48 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags( } }

+ // Only allow some "about:" pages to have access to contentaccessible + // "chrome://branding/" assets. Otherwise web pages could easily and + // consistently detect the differences between channels when their + // branding differs. See tor-browser#43308 and tor-browser#42319. + // NOTE: The same assets under the alternative URI + // "resource:///chrome/browser/content/branding/" should already be + // inaccessible to web content, so we only add a condition for the chrome + // path. + if (targetScheme.EqualsLiteral("chrome")) { + nsAutoCString targetHost; + rv = aTargetBaseURI->GetHost(targetHost); + NS_ENSURE_SUCCESS(rv, rv); + if (targetHost.EqualsLiteral("branding")) { + // Disallow any Principal whose scheme is not "about", or is a + // contentaccessible "about" URI ("about:blank" or "about:srcdoc"). + // NOTE: "about:blank" and "about:srcdoc" would be unexpected here + // since such a document spawned by a web document should inherit the + // same Principal URI. I.e. they would be "http:" or "https:" schemes. + // But we add this condition for extra assurances. + // NOTE: Documents with null Principals, like "about:blank" typed by + // the user, would also be excluded since the Principal URI would be + // "moz-nullprincipal:". + if (!aSourceBaseURI->SchemeIs("about") || + NS_IsContentAccessibleAboutURI(aSourceBaseURI)) { + return NS_ERROR_DOM_BAD_URI; + } + // Also exclude "about:reader" from accessing branding assets. I.e. if + // a web page includes `<img src="chrome://branding/..." />` we do not + // want it to render within "about:reader" either. + // Though it is unknown whether the information within "about:reader" + // would be exploitable by a web page, we also want to exclude + // "about:reader" for consistency: if it does not display in the + // original web page, it should not display in "about:reader" either. + nsAutoCString sourcePath; + rv = aSourceBaseURI->GetFilePath(sourcePath); + NS_ENSURE_SUCCESS(rv, rv); + if (sourcePath.EqualsLiteral("reader")) { + return NS_ERROR_DOM_BAD_URI; + } + } + } + if (targetScheme.EqualsLiteral("resource")) { if (StaticPrefs::security_all_resource_uri_content_accessible()) { return NS_OK;

===================================== docshell/base/nsAboutRedirector.cpp ===================================== @@ -123,10 +123,9 @@ static const RedirEntry kRedirMap[] = { nsIAboutModule::IS_SECURE_CHROME_UI}, {"logging", "chrome://global/content/aboutLogging.html", nsIAboutModule::ALLOW_SCRIPT}, - {"logo", "chrome://branding/content/about.png", - nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT | - // Linkable for testing reasons. - nsIAboutModule::MAKE_LINKABLE}, + // Do not allow web pages to link to about:logo, which varies between + // channels. See tor-browser#43308. + // Moreover, it exposes firefox-specific branding. {"memory", "chrome://global/content/aboutMemory.xhtml", nsIAboutModule::ALLOW_SCRIPT}, {"certificate", "chrome://global/content/certviewer/certviewer.html",

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/f0b1a96...