[tbb-bugs] #13439 [Tor Browser]: Inspector raises the canvas prompt when hovering over images
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 26 00:14:12 UTC 2014
#13439: Inspector raises the canvas prompt when hovering over images
-----------------------------+-------------------------------------
Reporter: dcf | Owner: tbb-team
Type: defect | Status: new
Priority: minor | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-easy, tbb-usability
Actual Points: | Parent ID:
Points: |
-----------------------------+-------------------------------------
Comment (by gacar):
According to [https://github.com/mozilla/pdf.js/wiki/Frequently-Asked-
Questions#can-i-load-a-pdf-from-another-server-cross-domain-request PDF.js
FAQ] and [https://bugzilla.mozilla.org/show_bug.cgi?id=714712#c116 this
comment], most of the PDF.js code runs with content privileges.
So, adding a `IsCallerChrome` check would work for the Inspector, but not
for the PDF.js.
Can whitelisting `resource://pdf.js` by scheme/URL be abused for
fingerprinting? If we cannot think of a way, fixing this could help with
[https://twitter.com/Cryptomeorg/status/536678971292016640 false
positives] and related alert fatigue.
If you like the approach (exempt chrome callers with `IsCallerChrome` and
whitelist PDF.js via scheme/URL whitelist) I could submit a new patch.
See, also [https://trac.torproject.org/projects/tor/ticket/10570 #10570].
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13439#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list