[tor-bugs] #2873 [Tor bundles/installation]: Block Components.lookupMethod in TorBrowser
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Apr 9 01:06:56 UTC 2011
#2873: Block Components.lookupMethod in TorBrowser
--------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent: #2871
Points: | Actualpoints:
--------------------------------------+-------------------------------------
It appears that EMCAScript 5 added official support for hooking JS objects
for protection against XSS. However Firefox seems to have left a backdoor
to undo these hooks in the form of Components.lookupMethod, which is
marked "unconfigurable" (which means it cannot be hooked).
We should remove this bit, and/or neuter this API in TorBrowser. This
should allow us to safely write JS hooks to deal with fingerprinting
issues in the window object and the DOM.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2873>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list