[tbb-bugs] #16607 [Tor Browser]: Allow SVG for extensions, even on "high" security level

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 30 15:40:55 UTC 2015

#16607: Allow SVG for extensions, even on "high" security level
     Reporter:  mbauer       |      Owner:  tbb-team
         Type:  defect       |     Status:  needs_information
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-usability
Actual Points:               |  Parent ID:
       Points:               |

Comment (by mcs):

 Thank you for the sample add-on.  It really just creates content pages,
 and the SVG blocking code has no way to tell the difference between a page
 from your add-on and one created by a website.

 I am still somewhat uncomfortable with the idea of a whitelist because I
 fear that it could be used somehow by a web site to cause SVG content to
 be loaded (which is what we want to avoid).  I cannot say exactly how that
 would happen though.

 mbauer:  Do you know if there is a way to detect that a resource: page or
 other page which is loaded in the content area actually belongs to an add-
 on?  I suspect there is no way to detect that, but if there was, using
 such an approach would be better than implementing a whitelist.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16607#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list