[tor-bugs] #8725 [Firefox Patch Issues]: resource:// URIs leak information

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 4 05:06:20 UTC 2014


#8725: resource:// URIs leak information
-------------------------------------+-------------------------------------
     Reporter:  holizz               |      Owner:  mikeperry
         Type:  defect               |     Status:  assigned
     Priority:  major                |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-fingerprinting,
   Resolution:                       |  tbb-rebase-regression
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by saint):

 This can be bypassed in a couple of different ways (just off the top of my
 head).  One is by pretending to be a non-firefox browser (as mentioned
 above), which has some serious compatibility issues with sites that serve
 up different code to different browsers.  Another is to strip resource://
 requests on pageload when possible. The extension set ''Disconnect'' does
 this for around a million users.  In Chrome, this would be dead simple
 with ''beforeload'' coupled with a background script but Firefox isn't
 impossible.

 Perhaps make a Firefox extension that sets an observer (using ''observer-
 service'') to listen for ''http-on-modify-request'' (literally any
 request) which can detect url scheme/prefix.  Then block those requests.
 Or respond to all of them with gibberish.

 To some extent this is less of an issue because the Tor browser bundle
 user group is comparatively homogenous. A larger issue is that it's
 possible to detect extensions used and launch an exploit for only those
 users (again, less of an issue for TBB, but large issue for internet as a
 whole).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8725#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list