[tor-bugs] #9308 [Firefox Patch Issues]: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 22 19:38:20 UTC 2014 

#9308: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and
Windows
-------------------------------------+-------------------------------------
     Reporter:  cypherpunks          |      Owner:  mikeperry
         Type:  defect               |     Status:  needs_revision
     Priority:  critical             |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-fingerprinting,
   Resolution:                       |  tbb-easy, interview
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by arthuredelstein):

 > A temporary patch for tor-browser.git would be cleaner, though,
 especially as we would not need to touch tor-browser-bundle related things
 and revert the changes later when ESR 31 lands. But as I said, dunno how
 easy that is...

 I don't know how easy it is yet, but I agree that the tor-browser.git
 change (converting `file://` URIs to `resource://` URIs) is cleaner for
 the reason you give, as well as the fact that we aren't having to
 distribute more binary files. I'm going to give it a try.

 One other, slightly less ideal fix that might be good enough, and is
 certainly fairly easy to carry out, would be to redact the path of a JS
 file generating an error, and simply show its short name. So, instead of
 reporting
 `"jar:file:///Applications/TorBrowserBundle_en-
 US.app/Contents/MacOS/TorBrowser.app/Contents/MacOS/browser/omni.ja!/components/FeedWriter.js"`
 or
 `"resource://app/components/FeedWriter.js"`
 TBB would simply report
 `"FeedWriter.js"`.

 Obviously, that makes JS debugging little more difficult, but I think most
 of the time, the short name is sufficient to find whatever file is
 producing an exception.

 I want to try the full `file://` to `resource://` conversion, but if that
 turns out to be too difficult, do you think this alternative "short-name"
 solution would be acceptable, at least as a stopgap until the ESR31
 rebase?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9308#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list