[tor-bugs] #16783 [Tor Browser]: NoScript whitelist reset is fingerprintable
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Aug 13 01:08:59 UTC 2015
#16783: NoScript whitelist reset is fingerprintable
-------------------------------------------------+-------------------------
Reporter: mikeperry | Owner:
Type: defect | mikeperry
Priority: normal | Status: new
Component: Tor Browser | Milestone:
Keywords: tbb-fingerprinting, | Version:
MikePerry201508, TorBrowserTeam201508, | Actual Points:
tbb-5.0-regression | Points:
Parent ID: |
-------------------------------------------------+-------------------------
In my haste to fix #16730 in time for 5.0, I forgot to account for the
fact that the reset whitelist omits blob:, mediasource: and moz-safe-
about:. Technically websites can detect this and use it to fingerprint
users.
We should probably add these URIs back in to the whitelist if they are
absent, or remove them if they are present. I am leaning towards adding
them, since I suspect mediasource: and blob: are needed by some sites
(which is probably why Giorgio added them).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16783>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list