[tbb-bugs] #13439 [Tor Browser]: Inspector raises the canvas prompt when hovering over images
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 26 19:26:48 UTC 2014
#13439: Inspector raises the canvas prompt when hovering over images
-----------------------------+-------------------------------------
Reporter: dcf | Owner: tbb-team
Type: defect | Status: new
Priority: minor | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-easy, tbb-usability
Actual Points: | Parent ID:
Points: |
-----------------------------+-------------------------------------
Comment (by mcs):
Replying to [comment:9 gacar]:
> According to [https://github.com/mozilla/pdf.js/wiki/Frequently-Asked-
Questions#can-i-load-a-pdf-from-another-server-cross-domain-request PDF.js
FAQ] and [https://bugzilla.mozilla.org/show_bug.cgi?id=714712#c116 this
comment], most of the PDF.js code runs with content privileges.
>
> So, adding a `IsCallerChrome` check would work for the Inspector, but
not for the PDF.js.
>
> Can whitelisting `resource://pdf.js` by scheme/URL be abused for
fingerprinting? If we cannot think of a way, fixing this could help with
[https://twitter.com/Cryptomeorg/status/536678971292016640 false
positives] and related alert fatigue.
>
> If you like the approach (exempt chrome callers with `IsCallerChrome`
and whitelist PDF.js via scheme/URL whitelist) I could submit a new patch.
Yes, please. This sounds like a good approach to me. I am not sure
exactly what the pdf.js whitelisting test needs to look like; there are a
bunch of files under browser/extensions/pdfjs/ so maybe we need a prefix
test? Or we need to figure out which file or files access canvas.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13439#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list