[tbb-bugs] #13439 [Tor Browser]: Inspector raises the canvas prompt when hovering over images

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 26 19:26:48 UTC 2014

#13439: Inspector raises the canvas prompt when hovering over images
     Reporter:  dcf          |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  minor        |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-easy, tbb-usability
Actual Points:               |  Parent ID:
       Points:               |

Comment (by mcs):

 Replying to [comment:9 gacar]:
 > According to [https://github.com/mozilla/pdf.js/wiki/Frequently-Asked-
 Questions#can-i-load-a-pdf-from-another-server-cross-domain-request PDF.js
 FAQ] and [https://bugzilla.mozilla.org/show_bug.cgi?id=714712#c116 this
 comment], most of the PDF.js code runs with content privileges.
 > So, adding a `IsCallerChrome` check would work for the Inspector, but
 not for the PDF.js.
 > Can whitelisting `resource://pdf.js` by scheme/URL be abused for
 fingerprinting? If we cannot think of a way, fixing this could help with
 [https://twitter.com/Cryptomeorg/status/536678971292016640 false
 positives] and related alert fatigue.
 > If you like the approach (exempt chrome callers with `IsCallerChrome`
 and whitelist PDF.js via scheme/URL whitelist) I could submit a new patch.

 Yes, please.  This sounds like a good approach to me.  I am not sure
 exactly what the pdf.js whitelisting test needs to look like; there are a
 bunch of files under browser/extensions/pdfjs/ so maybe we need a prefix
 test?  Or we need to figure out which file or files access canvas.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13439#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list