[tor-bugs] #8725 [Firefox Patch Issues]: resource:// URIs leak information
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 4 05:06:20 UTC 2014
#8725: resource:// URIs leak information
-------------------------------------+-------------------------------------
Reporter: holizz | Owner: mikeperry
Type: defect | Status: assigned
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-rebase-regression
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by saint):
This can be bypassed in a couple of different ways (just off the top of my
head). One is by pretending to be a non-firefox browser (as mentioned
above), which has some serious compatibility issues with sites that serve
up different code to different browsers. Another is to strip resource://
requests on pageload when possible. The extension set ''Disconnect'' does
this for around a million users. In Chrome, this would be dead simple
with ''beforeload'' coupled with a background script but Firefox isn't
impossible.
Perhaps make a Firefox extension that sets an observer (using ''observer-
service'') to listen for ''http-on-modify-request'' (literally any
request) which can detect url scheme/prefix. Then block those requests.
Or respond to all of them with gibberish.
To some extent this is less of an issue because the Tor browser bundle
user group is comparatively homogenous. A larger issue is that it's
possible to detect extensions used and launch an exploit for only those
users (again, less of an issue for TBB, but large issue for internet as a
whole).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list