[tbb-bugs] #16607 [Tor Browser]: Allow SVG for extensions, even on "high" security level

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 20 19:25:22 UTC 2015

#16607: Allow SVG for extensions, even on "high" security level
     Reporter:  mbauer       |      Owner:  tbb-team
         Type:  defect       |     Status:  needs_information
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-usability
Actual Points:               |  Parent ID:
       Points:               |
Changes (by mcs):

 * status:  new => needs_information


 Replying to [comment:2 gk]:
 > This should not happen as we only disallow SVG in content. mcs, brade
 any ideas? Sounds like our old problem to differentiate exactly between
 content and chrome code.

 Agreed.  I think a resource:// page will be recognized as content by our
 SVG blocking code when it is rendered in a browser window.  Whitelisting
 may be risky because web pages can load objects via resource:// URLs.  I
 have not looked at what NoScript does for whitelisting though.

 mbauer:  Can you make your extension available to us for testing or
 provide a test case?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16607#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list