[tor-bugs] #2874 [Firefox Patch Issues]: Block access to Components.interfaces from content script
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Aug 9 07:28:41 UTC 2014
#2874: Block access to Components.interfaces from content script
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords:
Resolution: | MikePerryIterationFires20110529,
Actual Points: 1 | backport-to-mozilla
Points: 4 | Parent ID:
-------------------------------------+-------------------------------------
Comment (by arthuredelstein):
In [https://bugzilla.mozilla.org/show_bug.cgi?id=790732 Mozilla bug
790732], Components.interfaces was converted to a "lazily-resolved shim".
I was able to confirm that this shim code in ESR31 exactly matches the
Components.interfaces object I observed in my demo in comment:11:
[[Image(Screen%20Shot%202014-08-09%20at%2012.08.15%20AM.png)]]
Moreover, a [https://bugzilla.mozilla.org/show_bug.cgi?id=429070#c37
comment] points out that the fix of 790732 resolved 429070 ("exposing
Components.interfaces to untrusted content leaks information about
installed extensions") because "...we only shim interfaces that expose DOM
constants (see kInterfaceShimMap in nsDOMClassInfo.cpp), which is the same
for everyone."
So assuming that's correct, I think we don't need to port this patch to
ESR31. There is still the question of how to block Components.interfaces
for the ESR24 branch of TB.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2874#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list