[tbb-bugs] #15562 [Tor Browser]: SharedWorker (and probably ServiceWorker) violate first party isolation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 2 20:49:07 UTC 2015
#15562: SharedWorker (and probably ServiceWorker) violate first party isolation
-----------------------------+--------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: tbb-linkability | Actual Points:
Parent ID: | Points:
-----------------------------+--------------------------
Running a SharedWorker from an iframe allows passing of information via
JavaScript between two websites. Here's a demo, where two tabs from
different domains share uniquely identifying information. The first tab
generates a random number, and the second tab displays the same random
number.
https://arthuredelstein.github.io/tordemos/sharedworker-parent.html
I haven't looked at ServiceWorkers closely yet, but they appear to offer
similar (possibly worse) ways to violate first party isolation.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15562>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list