[tor-bugs] #9336 [Firefox Patch Issues]: Odd wyswig schemes without isolation for browserspy.dk
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 2 15:06:46 UTC 2013
#9336: Odd wyswig schemes without isolation for browserspy.dk
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by mcs):
After loading http://browserspy.dk/screen.php, we see the following non-
isolated entries (all with scheme wyciwyg):
wyciwyg://0/http://browserspy.dk/screen.php
wyciwyg://1/http://browserspy.dk/screen.php
wyciwyg://2/http://browserspy.dk/screen.php
wyciwyg://3/https://googleads.g.doubleclick.net/pagead/ads... (URL
truncated)
wyciwyg://4/https://googleads.g.doubleclick.net/pagead/ads... (URL
truncated)
The wyciwyg scheme is used to keep a copy of content that was modified by
JS (probably to support the back button in the browser, etc.) That scheme
is not supposed to be accessible by web pages, but isolation might be a
good idea.
Mike, did you make the isolation changes for HTTP? The Mozilla file that
needs to be patched is probably
netwerk/protocol/wyciwyg/nsWyciwygChannel.cpp (see
nsWyciwygChannel::OpenCacheEntry(), etc.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9336#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list