[tbb-bugs] #15599 [Applications/Tor Browser]: Range requests used by pdfjs are not isolated to URL bar domain

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 29 18:30:14 UTC 2017

#15599: Range requests used by pdfjs are not isolated to URL bar domain
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-linkability           |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by cypherpunks):

 And its OCSP requests too:
 [05-29 18:16:40] Torbutton INFO: tor SOCKS: http://ocsp.usertrust.com/ via
 Replying to [ticket:15599 gk]:
 > Works even in a third party context with
 https://people.torproject.org/~gk/misc/range-request-test.html (your
 security slider level needs to be below medium-high in this case).
 Security Error: Content at
 https://kpdyer.com/publications/usenix2014-fte.pdf#disableRange=true may
 not load data from https://people.torproject.org/~gk/misc/range-request-
 Load denied by X-Frame-Options:
 https://kpdyer.com/publications/usenix2014-fte.pdf#disableRange=true does
 not permit cross-origin framing.  (unknown)
 Hrm, does PDF.js support Private Browsing Mode?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15599#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list