[tbb-bugs] #26540 [Applications/Tor Browser]: Enabling pdfjs disableRange option prevents pdfs from loading

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jul 14 01:56:56 UTC 2018

#26540: Enabling pdfjs disableRange option prevents pdfs from loading
 Reporter:  pospeselr                        |          Owner:  pospeselr
     Type:  defect                           |         Status:
                                             |  needs_review
 Priority:  Medium                           |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201807R  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
Changes (by pospeselr):

 * keywords:  ff60-esr, TorBrowserTeam201807 => ff60-esr,
 * status:  needs_information => needs_review


 Two patches, one for tor-browser and one for torbutton.

 The patches take an approach of 'smuggling' the first party domain on the
 existing nsIPrivateBrowsingChannel used by XMLHttpRequest.  Basically, the
 first-party domain is known when the range-based request is created, but
 since it's created from within chrome js code, it gets the System
 Principal which throws out all that info.  So, in pdfjs we set the
 firstPartyDomain on the channel object which is then read by torbutton.
 If torbutton fails to find a firstPartyDomain in the usual way from the
 OriginAttributes, it will try to read it off of the channel directly.

 With this smuggling hack in place, we should be able to fix any other
 'XMLHttpRequest-created-in-System-Principal' first-party isolation issues
 we come across.

 Currently doing an RBM build with the patches applied just to make sure it
 all works as expected without hacks.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26540#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list