commit e06085d63ed1d9b33787e04172365db2179003e1 Author: Yawning Angel yawning@schwanenlied.me Date: Wed Jul 12 20:04:38 2017 +0000
Bug 22899: `about:addons`'s "Get Addons" pane is unsafe and should be treated as such.
Loading Google Analytics as part of an IFRAME that implements an internal `about:` URL, without being explicitly opt-in is the total antithesis of privacy respecting. --- ChangeLog | 2 ++ .../sandboxed-tor-browser/internal/tor/surrogate.go | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+)
diff --git a/ChangeLog b/ChangeLog index b19afe9..20716ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ Changes in version 0.0.10 - UNRELEASED: * Bug 22829: Remove default obfs4 bridge riemann. * Bug 22853: Something in SelfRando is totally brain damaged. + * Bug 22899: `about:addons`'s "Get Addons" pane is unsafe and should be + treated as such. * Bug 22901: Clarify/expand on the warnings for all the config settings.
Changes in version 0.0.9 - 2017-07-03: diff --git a/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go b/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go index b26019a..1d99431 100644 --- a/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go +++ b/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go @@ -35,6 +35,7 @@ import (
"cmd/sandboxed-tor-browser/internal/socks5" "cmd/sandboxed-tor-browser/internal/ui/config" + . "cmd/sandboxed-tor-browser/internal/utils" )
const ( @@ -60,6 +61,8 @@ const (
// These responses are entirely synthetic so they don't matter. socksAddr = "127.0.0.1:9150" + + aboutAddonsUnsafeHost = "discovery.addons.mozilla.org" )
func copyLoop(upConn, downConn net.Conn) { @@ -137,6 +140,8 @@ type socksProxy struct { sNet, sAddr string tag string
+ allowAboutAddons bool + l net.Listener }
@@ -188,6 +193,18 @@ func (p *socksProxy) handleConn(conn net.Conn) { return }
+ // Disallow `about:addons` unless the extensions directory is volatile, + // because regardless of what Mozilla PR says about respecting privacy, + // loading Google Analytics in a page that gets loaded as an IFRAME as + // part of an `about:` internal page, is anything but. + if host, _ := req.Addr.HostPort(); strings.ToLower(host) == aboutAddonsUnsafeHost { + if !p.allowAboutAddons { + Debugf("sandbox: Rejecting request to `%s`", aboutAddonsUnsafeHost) + req.Reply(socks5.ReplyConnectionNotAllowed) + return + } + } + // Append our isolation tag. if err := p.rewriteTag(conn, req); err != nil { req.Reply(socks5.ReplyGeneralFailure) @@ -245,6 +262,7 @@ func launchSocksProxy(cfg *config.Config, tor *Tor) (*socksProxy, error) { if err != nil { return nil, err } + p.allowAboutAddons = cfg.Sandbox.VolatileExtensionsDir
go p.acceptLoop()