[tbb-bugs] #15562 [Tor Browser]: SharedWorker violate first party isolation (was: SharedWorker (and probably ServiceWorker) violate first party isolation)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 2 22:01:19 UTC 2015
#15562: SharedWorker violate first party isolation
---------------------------------+-----------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-linkability
Actual Points: | Parent ID:
Points: |
---------------------------------+-----------------------------
Old description:
> Running a SharedWorker from an iframe allows passing of information via
> JavaScript between two websites. Here's a demo, where two tabs from
> different domains share uniquely identifying information. The first tab
> generates a random number, and the second tab displays the same random
> number.
>
> https://arthuredelstein.github.io/tordemos/sharedworker-parent.html
>
> I haven't looked at ServiceWorkers closely yet, but they appear to offer
> similar (possibly worse) ways to violate first party isolation.
New description:
Running a SharedWorker from an iframe allows passing of information via
JavaScript between two websites. Here's a demo, where two tabs from
different domains share uniquely identifying information. The first tab
generates a random number, and the second tab displays the same random
number.
https://arthuredelstein.github.io/tordemos/sharedworker-parent.html
--
Comment (by arthuredelstein):
(Narrowing ticket scope to SharedWorker only).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15562#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list