[tor-bugs] #13818 [Tor Browser]: [PATCH] Active tab looks ugly (inherits system color scheme only partially)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 13 12:48:07 UTC 2015


#13818: [PATCH] Active tab looks ugly (inherits system color scheme only partially)
-----------------------------+-----------------------------------
     Reporter:  gentoo_root  |      Owner:  tbb-team
         Type:  defect       |     Status:  needs_review
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  TorBrowserTeam201501R
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------------------------

Comment (by gk):

 Replying to [comment:7 mcs]:
 > Our tests so far show that a remote page that loads a chrome:// SVG will
 not be able to access the DOM (which should mean that it cannot access the
 rendered colors of elements within the SVG).  The SVG image loads OK with
 an <img> tag but the same origin policy blocks loading via tags such as
 iframe and object.  So maybe the original patch is safe.

 Thinking a bit about our discussion yesterday. What about blocking access
 to chrome:// by website content generally? That could be a defense in
 depth in this case and, personally, I think websites should have no
 business at all with the browser chrome. The question would then of course
 be what breaks. But I fear even if we find a solution that works now,
 subtle and hard to detect changes might force us to regret not taking a
 more direct and clear-cut approach.

 To test a bit more my "we already have a fingerprinting issue"-claim I
 looked at the test.html on different machines and OSes and it seems that
 it gets rendered slightly different (the color values seem to not be the
 same across my systems/devices if I look close at the rendering). But as
 you mentioned above the question is then if a website could benefit from
 it (if it were an issue). Canvases should be blocked cross-origin as well.
 But I have not looked at it closer yet. It might be another reason for
 trying at least a more clear-cut approach.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13818#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list