[tbb-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 9 17:03:18 UTC 2018


#28374: ensure RequestStorageId cannot be accessed remotely
-----------------------------------------+--------------------------
 Reporter:  mcs                          |          Owner:  tbb-team
     Type:  defect                       |         Status:  new
 Priority:  Medium                       |      Milestone:
Component:  Applications/Tor Browser     |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  tbb-fingerprinting,ff60-esr  |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+--------------------------

Comment (by tom):

 Because this is an IPC method not available to Web Content, there doesn't
 seem to be any wiring to provide this to an actual website (especially
 with EME disabled.)

 However, there probably isn't anything that intentionally stops a
 compromised content process from getting this data. (although it might not
 work just because EME is disabled, but I'm unsure.)

 I recommend we make this one of the bugs blocking #28147 and tackle it as
 part of future 'harden the content process' work.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28374#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list