[tor-bugs] #9308 [Firefox Patch Issues]: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 3 19:43:43 UTC 2014 

#9308: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and
Windows
-------------------------------------+-------------------------------------
     Reporter:  cypherpunks          |      Owner:  mikeperry
         Type:  defect               |     Status:  needs_review
     Priority:  critical             |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-fingerprinting,
   Resolution:                       |  tbb-easy, interview,
Actual Points:                       |  GeorgKoppen201404R
       Points:                       |  Parent ID:
-------------------------------------+-------------------------------------

Comment (by gk):

 Replying to [comment:18 arthuredelstein]:
 > Replying to [comment:17 gk]:
 > > Okay, interesting Mozilla folks are doubting that this is a cross-
 compile issue (see my filed bug). So, you might want to chime in there and
 explain why they are wrong. :)
 >
 > :) I've written a comment:
 https://bugzilla.mozilla.org/show_bug.cgi?id=991522#c5
 >
 > > That said, the BrowserFeedWriter thing will be fixed in ESR 31
 (https://bugzilla.mozilla.org/show_bug.cgi?id=983845). Not sure about the
 other test you made. I did not get it to run.
 > Sorry about that, I mistyped the other example in the comment. It's
 fixed now. Try entering
 > `window.sidebar.addSearchEngine("http://", "http://", null, null);`
 > in the web console of Tor Browser on Mac or Windows.

 That is fixed on mozilla-central as well, yes!! I've not found the
 corresponding bug though, yet. So, strictly speaking we could think about
 closing this bug now. :) And maybe look at backporting those patches. Not
 sure how difficult this is going to be. Maybe they've fixed those leaks in
 a more generic way?

 > I can imagine there are other exceptions that may cause privacy leaks in
 the same way, when the startup cache is not precompiled. I think it could
 be quite challenging to find every privacy leak of this type. So it's
 probably best for TBB to have the precompilation step to work on the
 cross-compiled targets. I'm going to try to take the approach you
 suggested, of borrowing the native xpcshell from the linux build and
 providing it to the Mac and Windows builds.

 The major drawback of this approach is that users can't build Mac or
 Windows bundles anymore without compiling the Tor Browser for Linux as
 well (and, alas, they'd need both the 32bit and 64bit one)...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9308#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list