commit 1b1c4e4143d57a72e02464ac3bc343bd6d57ec9e Author: Arthur Edelstein arthuredelstein@gmail.com Date: Sat Jul 14 08:50:55 2018 -0700

Bug 26353: Prevent speculative connect that violated FPI.

Connections were observed in the catch-all circuit when the user entered an https or http URL in the URL bar, or typed a search term. --- toolkit/components/remotebrowserutils/RemoteWebNavigation.js | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/toolkit/components/remotebrowserutils/RemoteWebNavigation.js b/toolkit/components/remotebrowserutils/RemoteWebNavigation.js index 9ca238359c0f..8f256f41953d 100644 --- a/toolkit/components/remotebrowserutils/RemoteWebNavigation.js +++ b/toolkit/components/remotebrowserutils/RemoteWebNavigation.js @@ -72,6 +72,10 @@ RemoteWebNavigation.prototype = { }, loadURIWithOptions(aURI, aLoadFlags, aReferrer, aReferrerPolicy, aPostData, aHeaders, aBaseURI, aTriggeringPrincipal) { +/******************************************************************************* + TOR BROWSER: Disable the following speculative connect until + we can make it properly obey first-party isolation. + // We know the url is going to be loaded, let's start requesting network // connection before the content process asks. // Note that we might have already setup the speculative connection in some @@ -95,6 +99,7 @@ RemoteWebNavigation.prototype = { // reason (such as failing to parse the URI), just ignore it. } } +*******************************************************************************/ this._sendMessage("WebNavigation:LoadURI", { uri: aURI, flags: aLoadFlags,