[tbb-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 16 20:45:03 UTC 2016


#8725: resource:// URIs leak information
-------------------------------------------------+-------------------------
 Reporter:  holizz                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  Very High                            |         Status:
Component:  Applications/Tor Browser             |  needs_review
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-      |        Version:
  regression, tbb-testcase, tbb-firefox-patch,   |     Resolution:
  TorBrowserTeam201606R                          |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 I also made a test to see if I could use redirects from content to load
 resource:// or chrome:// URIs into <script> elements:

 https://arthuredelstein.github.io/tordemos/resource-locale.html

 In unpatched Firefox or TorBrowser, the redirects fail and the following
 error is shown in the Browser Console:
 {{{
 Security Error: Content at https://arthuredelstein.github.io/tordemos
 /resource-locale.html may not load or link to
 jar:file:///Applications/Firefox.app/Contents/Resources/browser/omni.ja!/defaults/preferences
 /webide-prefs.js.
 Security Error: Content at https://arthuredelstein.github.io/tordemos
 /resource-locale.html may not load or link to
 jar:file:///Applications/Firefox.app/Contents/Resources/browser/omni.ja!/chrome/browser/content/browser/browser.xul.
 }}}

 Direct loading of any prefs.js file succeeds.

 But with Yawning's branch, the direct loading is blocked as well. I also
 read over the patches and the code looks good to me, so I would be
 inclined to include it in torbutton. It would be nice to have the git
 subject line start with `Bug 8725:`.

 Regarding Yawning's `XXX` comment, I think it is nice to have resource:///
 URIs load in tabs for debugging purposes. So unless this introduces a
 vulnerability I would be inclined to leave it as is.

 Ideally we would come up with a C++ Firefox patch that could be
 upstreamed. But to avoid delay I think this torbutton patch is a good
 stopgap.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list