[tor-bugs] #8292 [Firefox Patch Issues]: Alter behavior of getFirstPartyURI and consumers

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jun 4 15:48:44 UTC 2013 

#8292: Alter behavior of getFirstPartyURI and consumers
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry
     Type:  enhancement           |         Status:  new      
 Priority:  major                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:  tbb-linkability       |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------

Comment(by brade):

 Replying to [comment:4 mikeperry]:
 > Yes, I think it is fine to not log for trusted schemes, though we might
 want to give them a unique pseudo-host based on their scheme for purposes
 of cache isolation just in case.

 OK, here is a proposal:

 1) Change getFirstPartyURI() to fail and log for all schemes that lack a
 host that we do not specifically "whitelist" (so schemes like chrome: and
 about: would not cause a failure but data: and javascript: would).

 2) Add the following function to centralize generation of the pseudo hosts
 (this would be used to by the image loader, DOM storage, etc. to generate
 cache keys):
 {{{
   /**
    * getFirstPartyHostForIsolation
    *
    * Obtain the host or pseudo-host for aFirstPartyURI.  Some examples:
    *    aFirstPartyURI                         Return Value
    *    --------------                         ------------
    *    https://news.google.com/nwshp?hl=en    "news.google.com"
    *    about:home                             "--NoFirstParty-
 abouthome--"
    *    chrome://browser/skin/Toolbar.png      "--NoFirstParty-chrome--"
    *    data:image/png;base64,AAABAA...        <error thrown>
    *
    * @param aFirstPartyURI
    *        The first party URI.
    *
    * @return host or pseudo host.
    *
    * @throws if the URI lacks a host and the scheme is not one for which
    *         we generate a pseudo host.
    */
   AUTF8String getFirstPartyHostForIsolation(in nsIURI aFirstPartyURI);
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8292#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list