[tor-bugs] #15502 [Tor Browser]: URI.createObjectURL() considered harmful (was: Blob URIs considered harmful)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 7 21:12:11 UTC 2015
#15502: URI.createObjectURL() considered harmful
-------------------------+-------------------------------------------------
Reporter: | Owner: arthuredelstein
mikeperry | Status: assigned
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-linkability, tbb-newnym,
Browser | tbb-4.5-alpha, TorBrowserTeam201504
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Unfortunately, there's another case where this will bite us. The
mediasource: scheme was created alongside VP9, and is currently used by
youtube to play VP9 videos. mediasource URIs contain javascript handlers
created by the MediaSource API, and are created by URI.createObject():
https://html5-mediasource-api.googlecode.com/svn/tags/0.1/draft-spec
/mediasource-draft-spec.html#examples
It's not clear if URI.createObject() in that example is a typo for
URL.createObjectURL(), or another API. Firefox 37 does not have a
URI.createObject() or a URL.createObject().
MediaSource support is currently present but disabled by default in
Firefox 31. You need to set the prefs 'media.mediasource.enabled' and
'media.mediasource.webm.enabled' to true in order for mediasource: URIs to
be created. This means we may be able to get away with disabling
URI.createObjectURL() for now, but once we hit FF38-ESR, we'll need to
enable+isolate it, or Youtube will break.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15502#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list