[tor-bugs] #14205 [Tor Browser]: Closely review all uses of IsCallerChrome() for e10s

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 30 14:22:48 UTC 2015 

#14205: Closely review all uses of IsCallerChrome() for e10s
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  assigned
         Type:  task     |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-fingerprinting, tbb-e10s, tbb-
  Browser                |  rebase, ff38-esr
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Kathy and I spent some time analyzing our use of
 nsContentUtils::isCallerChrome() and also thinking about when it makes
 sense to use it and when it does not.

 Currently, we use it in the following Tor Browser patches:

 1c671d687504e1886587f86c176248b6367bf7ac (#13016 - Hide CSS -moz-osx-font-
 smoothing)
 1df6eeba14da4e1924e3576ce1103e2c56d786d5 (#6253 - Add canvas image
 extraction prompt)
 797a6165050e97c3cdd700e342aea059e8afe895 (#4755 - Return window coords for
 mouse screenX/Y)
 8d2b33f78f325cc50ebbe1e2a6657254bacdd9fc (#15646 - Prevent keyboard layout
 fingerprinting)

 In each of the above cases, content JavaScript is always involved when we
 want to block access to fingerprinting vectors, so isCallerChrome() is OK
 to use.  Actually, it would be better to use
 nsContentUtils::ThreadsafeIsCallerChrome() instead in all cases because
 that call will do the right thing for web workers.

 We have not yet evaluated the situation when electrolysis is enabled.

 An alternative to IsCallerChrome() and ThreadsafeIsCallerChrome() is to
 use calls such as nsDocShell::GetIsContent() and
 nsPresContext::IsChrome().  Those methods return a value that is not based
 on who is asking (i.e., not based on what is in the call stack); the value
 returned is based on the context in which the document was created.  The
 problem with this approach is that if privileged code is manipulating a
 content document, we may want to allow access to otherwise blocked info...
 in which case ThreadsafeIsCallerChrome() is a better choice.

 For TB 5.0, Kathy and I think we should replace all of our
 IsCallerChrome() calls with ThreadsafeIsCallerChrome() but otherwise leave
 things as-is.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14205#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list